Recent cybersecurity investigations have unveiled DCHSpy, a sophisticated Android spyware campaign tied to Iran's Ministry of Intelligence and Security (MOIS). Masquerading as legitimate VPN tools and Starlink connectivity apps, this malware is engineered to infiltrate devices of individuals deemed adversaries of the Iranian regime.
Technical Attribution and Threat Actor
-
DCHSpy is attributed to the Iranian state-sponsored threat group MuddyWater, also known under aliases such as:
- Boggy Serpens
- Cobalt Ulster
- Earth Vetala
- ITG17
- Mango Sandstorm / Mercury
- Seedworm
- Static Kitten
- TA450
- Yellow Nix
-
The spyware was first flagged by Lookout Security in July 2024, shortly after heightened tensions between Israel and Iran.
Attack Vectors and Target Demographics
Distribution Channels
- DCHSpy spreads primarily via Telegram channels—bypassing traditional app store security.
- The malware disguises itself as:
- Earth VPN
- Comodo VPN
- Hide VPN
- Starlink-branded APKs, such as
starlink_vpn(1.3.0)-3012 (1).apk
Psychological Lures
- Starlink branding exploits Iranian users' interest in unrestricted internet access following Starlink's brief activation and subsequent ban in the country.
Primary Targets
- Farsi- and English-speaking users
- Journalists, activists, and dissidents opposing Iranian government policies
Capabilities and Impact
DCHSpy is a modular Android trojan capable of extensive surveillance operations, including:
- WhatsApp data extraction
- Access to user accounts and contact lists
- Harvesting SMS messages, call logs, and stored files
- Real-time location tracking
- Ambient audio recording and unauthorized photograph capture
Technical Parallels
- Shares code and behavioral traits with SandStrike, a prior VPN-themed Android spyware discovered in 2022.
Regional Context and Ongoing Threats
The rise of DCHSpy aligns with escalating digital repression in Iran, following the Israel-Iran conflict and subsequent partial ceasefire.
Other Notable Android Spyware Campaigns in the Region:
- AridSpy
- BouldSpy
- GuardZoo
- RatMilad
- SpyNote
This indicates a wider strategy of mobile surveillance targeting civil society actors across the Middle East.
Conclusion
The DCHSpy campaign exemplifies how nation-state actors exploit popular digital privacy tools to execute covert surveillance. By posing as VPN and Starlink apps, Iranian operatives are targeting vulnerable communities seeking secure communication.
User Recommendations:
- Avoid downloading APKs from untrusted sources
- Use official app stores only
- Stay updated on security advisories
- Leverage mobile security tools that detect sideloaded threats
FAQs
What is DCHSpy malware?
DCHSpy is Iranian-linked Android spyware disguised as VPN and Starlink apps, used for surveillance.
How does DCHSpy spread?
It is typically distributed via Telegram and sideloaded through malicious APK files.
Who is behind DCHSpy?
The malware is attributed to MuddyWater, a cyber-espionage group linked to Iran's Ministry of Intelligence and Security.
What can DCHSpy access on a phone?
It can extract contacts, WhatsApp data, SMS, call logs, photos, ambient audio, and GPS location.
How can I protect myself?
Use apps only from official sources, be wary of unexpected downloads, and install reputable mobile security software.