Researchers have unveiled a troubling new spyware campaign that predominantly targets Iranian users of Android VPN applications. The security team at Lookout has identified a revamped version of DCHSpy, a form of spyware that cleverly disguises itself as legitimate VPN services, including the well-known Starlink, a satellite internet service provided by SpaceX. This campaign emerged just a week after the onset of the Israel-Iran conflict, coinciding with a significant surge in VPN usage among Iranians seeking to navigate newly imposed internet restrictions.
The virtual private network (VPN) serves as a crucial tool for users, encrypting internet connections and masking real IP addresses to circumvent geo-restrictions, particularly relevant in the current Iranian context. DCHSpy, however, is a particularly invasive software that can harvest sensitive user data, including WhatsApp messages, contacts, SMS, files, location information, and call logs. Alarmingly, it also possesses the capability to record audio and capture images.
First identified in July 2024, DCHSpy is reportedly maintained by the hacking group MuddyWater, which is believed to have connections to Iran’s Ministry of Intelligence and Security. Recent findings have revealed four additional samples of DCHSpy, indicating that MuddyWater has been actively enhancing this surveillance tool with new functionalities. These updates enable the malware to identify and extract data from specific files on the device, alongside WhatsApp data.
Experts have noted that the hackers are utilizing two malicious VPN services, EarthVPN and ComodoVPN, as vectors for spreading the malware. Previously, another deceptive VPN application, HideVPN, was used for the same purpose.
Azam Jangrevi, an Iranian Information Security Analyst, emphasized the sophistication and targeted nature of modern mobile surveillance. “What’s especially concerning is its use of trusted platforms like Telegram to distribute malicious APKs, often under the guise of tools meant to protect privacy,” Jangrevi remarked. This situation poses a heightened risk for Iranian citizens, who are increasingly relying on VPN applications as internet access becomes more restricted.
How to stay safe
In light of these developments, Jangrevi advises individuals seeking to download new VPN services or any applications to exercise caution. “Avoid downloading apps from unofficial sources, even if they appear to offer enhanced privacy. Stick to verified app stores, scrutinize app permissions, and utilize mobile security solutions capable of detecting threats like DCHSpy,” she recommended.
For those in high-risk professions, such as journalism or activism, Jangrevi suggests implementing hardware-based security keys and using encrypted messaging applications that have been vetted by independent researchers. “This incident underscores the necessity for greater awareness regarding mobile threat vectors and the importance of maintaining digital hygiene in an increasingly hostile cyber landscape,” she concluded.
