Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX.
Mobile security vendor Lookout said it discovered four samples of a surveillanceware tool it tracks as DCHSpy one week after the onset of the Israel-Iran conflict last month. Exactly how many people may have installed these apps is not clear.
“DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos,” security researchers Alemdar Islamoglu and Justin Albrecht said.
First detected in July 2024, DCHSpy is assessed to be the handiwork of MuddyWater, an Iranian nation-state group tied to MOIS. The hacking crew is also called Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, and Yellow Nix.
Early iterations of DCHSPy have been identified targeting English and Farsi speakers via Telegram channels using themes that run counter to the Iranian regime. Given the use of VPN lures to advertise the malware, it’s likely that dissidents, activists, and journalists are a target of the activity.
It’s suspected that the newly identified DCHSpy variants are being deployed against adversaries in the wake of the recent conflict in the region by passing them off as seemingly useful services like Earth VPN (“com.earth.earth_vpn”), Comodo VPN (“com.comodoapp.comodovpn”), and Hide VPN (“com.hv.hide_vpn”).
Interestingly, one of the Earth VPN app samples has been found to be distributed in the form of APK files using the name “starlink_vpn(1.3.0)-3012 (1).apk,” indicating that the malware is likely being spread to targets using Starlink-related lures.
It’s worth noting that Starlink’s satellite internet service was activated in Iran last month amid a government-imposed internet blackout. But, weeks later, the country’s parliament voted to outlaw its use over unauthorized operations.
A modular trojan, DCHSpy is equipped to collect a wide range of data, including account signed-in to the device, contacts, SMS messages, call logs, files, location, ambient audio, photos, and WhatsApp information.
DCHSpy also shares infrastructure with another Android malware known as SandStrike, which was flagged by Kaspersky in November 2022 as targeting Persian-speaking individuals by posing as seemingly harmless VPN applications.
The discovery of DCHSpy is the latest instance of Android spyware that has been used to target individuals and entities in the Middle East. Other documented malware strains include AridSpy, BouldSpy, GuardZoo, RatMilad, and SpyNote.
“DCHSpy uses similar tactics and infrastructure as SandStrike,” Lookout said. “It is distributed to targeted groups and individuals by leveraging malicious URLs shared directly over messaging apps such as Telegram.”
“These most recent samples of DCHSpy indicate continued development and usage of the surveillanceware as the situation in the Middle East evolves, especially as Iran cracks down on its citizens following the ceasefire with Israel.”
