As the digital world becomes a new battleground in modern intelligence warfare, smartphone security is no longer just a personal matter.
Recently, cybersecurity researchers from Lookout uncovered a new Android malware called DCHSpy. They believe it connects to Iranian intelligence services and functions as a surveillance tool that targets dissidents through seemingly harmless VPN and Starlink apps.
State Hackers Disguise VPN Apps
DCHSpy was first identified in July 2024 by Lookout, a mobile security company. The malware is attributed to MuddyWater, a hacker group reportedly backed by the Iranian government and also known by other names such as Boggy Serpens, Mango Sandstorm, and Yellow Nix.
In its early stage, DCHSpy targeted English and Farsi speakers through Telegram channels featuring anti-regime content. In its latest variant, the malware poses as popular VPN apps such as Earth VPN, Comodo VPN, and Hide VPN, as well as apps related to Starlink, the satellite internet service that gained popularity in Iran after government-led internet blackouts.
Who Are the Targets?
This attack campaign shows a high level of targeting and sophistication. It specifically focuses on activists, journalists, and individuals who criticize the Iranian regime. Attackers trick victims into installing the malware by sending Telegram messages that promote apps with anti-government themes.
Once installed, DCHSpy can collect a wide range of personal data, including:
- User account information
- Contact lists
- SMS messages
- Call logs
- Stored files
- Device location
- WhatsApp data
- Audio recordings and photos captured through the microphone and camera without user consent
DCHSpy is also linked to another Android malware called SandStrike, which was discovered by Kaspersky in late 2022. SandStrike similarly targeted Persian-speaking users through fake VPN apps.
Why Use Starlink as Bait?
Starlink, a satellite internet service by SpaceX, was recently activated in Iran to help users circumvent government-imposed internet restrictions. Its growing popularity made it a convincing cover for distributing fake apps. Using Starlink’s name as bait is a clever tactic that exploits trust in the brand—especially in politically charged contexts.
Beyond DCHSpy: A Broader Threat Landscape
DCHSpy is just one of many spyware tools currently spreading across the Middle East. Other known threats include AridSpy, BouldSpy, GuardZoo, RatMilad, and SpyNote—all of which follow a similar pattern: masquerading as useful apps such as VPNs, security tools, or network utilities to deceive users.
How to Avoid VPN Malware
- Avoid installing APK files from unofficial sources outside the Google Play Store or verified websites
- Always check the app developer’s name before downloading
- Use trusted mobile anti-malware solutions
- Keep your operating system and apps up to date
- Be cautious with links shared via messaging platforms like Telegram or WhatsApp
Staying vigilant and informed is key to protecting yourself from the growing wave of cyber threats targeting mobile users today.
Source: The Hacker News – Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents