Iran-Linked Android Spyware Masquerading as VPN and Starlink Apps

Recent cybersecurity investigations have unveiled DCHSpy, a sophisticated Android spyware campaign tied to Iran's Ministry of Intelligence and Security (MOIS). Masquerading as legitimate VPN tools and Starlink connectivity apps, this malware is engineered to infiltrate devices of individuals deemed adversaries of the Iranian regime.

Technical Attribution and Threat Actor

• DCHSpy is attributed to the Iranian state-sponsored threat group MuddyWater, also known under aliases such as:

  • Boggy Serpens
  • Cobalt Ulster
  • Earth Vetala
  • ITG17
  • Mango Sandstorm / Mercury
  • Seedworm
  • Static Kitten
  • TA450
  • Yellow Nix

• The spyware was first flagged by Lookout Security in July 2024, shortly after heightened tensions between Israel and Iran.

Attack Vectors and Target Demographics

Distribution Channels

• DCHSpy spreads primarily via Telegram channels—bypassing traditional app store security.
• The malware disguises itself as:
  • Earth VPN
  • Comodo VPN
  • Hide VPN
  • Starlink-branded APKs, such as starlink_vpn(1.3.0)-3012 (1).apk

Psychological Lures

• Starlink branding exploits Iranian users' interest in unrestricted internet access following Starlink's brief activation and subsequent ban in the country.

Primary Targets

• Farsi- and English-speaking users
• Journalists, activists, and dissidents opposing Iranian government policies

Capabilities and Impact

DCHSpy is a modular Android trojan capable of extensive surveillance operations, including:

• WhatsApp data extraction
• Access to user accounts and contact lists
• Harvesting SMS messages, call logs, and stored files
• Real-time location tracking
• Ambient audio recording and unauthorized photograph capture

Technical Parallels

• Shares code and behavioral traits with SandStrike, a prior VPN-themed Android spyware discovered in 2022.

Regional Context and Ongoing Threats

The rise of DCHSpy aligns with escalating digital repression in Iran, following the Israel-Iran conflict and subsequent partial ceasefire.

Other Notable Android Spyware Campaigns in the Region:

• AridSpy
• BouldSpy
• GuardZoo
• RatMilad
• SpyNote

This indicates a wider strategy of mobile surveillance targeting civil society actors across the Middle East.

Conclusion

The DCHSpy campaign exemplifies how nation-state actors exploit popular digital privacy tools to execute covert surveillance. By posing as VPN and Starlink apps, Iranian operatives are targeting vulnerable communities seeking secure communication.

User Recommendations:

• Avoid downloading APKs from untrusted sources
• Use official app stores only
• Stay updated on security advisories
• Leverage mobile security tools that detect sideloaded threats

FAQs

What is DCHSpy malware?

DCHSpy is Iranian-linked Android spyware disguised as VPN and Starlink apps, used for surveillance.

How does DCHSpy spread?

It is typically distributed via Telegram and sideloaded through malicious APK files.

Who is behind DCHSpy?

The malware is attributed to MuddyWater, a cyber-espionage group linked to Iran's Ministry of Intelligence and Security.

What can DCHSpy access on a phone?

It can extract contacts, WhatsApp data, SMS, call logs, photos, ambient audio, and GPS location.

How can I protect myself?

Use apps only from official sources, be wary of unexpected downloads, and install reputable mobile security software.