A report from The New York Times has revealed that messaging app ToTok, popular in the United Arab Emirates, is in fact a government spy tool, created for the benefit of UAE intelligence officials and used to track citizens’ conversations and movements.

ToTok launched earlier this year and has been downloaded by millions in the UAE, a nation where Western messaging apps like WhatsApp and Skype are partially blocked. It promised “fast, free, and secure” messages and calls, and attracted users across the Middle East and beyond, even becoming one of the most downloaded social apps in the US last week.

But, citing classified briefings from US intelligence officials and its own analysis, the NYT reports that ToTok is really a way for the UAE government to spy directly on its people. Citizens who used the app were sharing messages, pictures and videos, and even their location (supposedly being tracked to provide weather updates) with Emirati intelligence.

The Times notes that this is something of a new development in the history of digital spying by authoritarian regimes. Although many governments routinely hack citizens’ phones, not many set up an ostensibly legitimate app and simply ask for access to their data.

“You don’t need to hack ... if you can get people to willingly download this app.”

“There is a beauty in this approach,” security researcher Patrick Wardle, who conducted an independent forensic analysis of ToTok, told the Times. “You don’t need to hack people to spy on them if you can get people to willingly download this app to their phone. By uploading contacts, video chats, location, what more intelligence do you need?”

The Times reports that the company that runs ToTok, Breej Holding, is most likely a front for Abu Dhabi-based cybersecurity firm DarkMatter. The app is also connected to UAE data-mining firm Pax AI, which shares offices with the Emirates’ signals intelligence agency.

Breej Holding, DarkMatter, and the UAE government have yet to comment on the Times report, but both Google and Apple have removed ToTok from the Play Store and App Store. The FBI also refused to comment, but a spokesperson for the bureau told the Times: “[W]hile the FBI does not comment on specific apps, we always want to make sure to make users aware of the potential risks and vulnerabilities that these mechanisms can pose.”