Skip to content
All about technology.All about cybersecurity.All about data & cloud computing.

Uncovered: Four recent examples of Android spyware traced back to Iran's intelligence agency

Iran Enhanced Spy Tool DCHSpy with Surveillance Features Following Israeli Airstrikes

 and  Administrator
3 min read
Discovered: Four recently found Android malware variants connected to Iran's Intelligence Agency
Discovered: Four recently found Android malware variants connected to Iran's Intelligence Agency

Uncovered: Four recent examples of Android spyware traced back to Iran's intelligence agency

## Uncovered: Enhanced DCHSpy Malware Targeting Android Devices

A new wave of DCHSpy, an Android spyware linked to the Iranian Ministry of Intelligence and Security (MOIS) and its associated cyber espionage group MuddyWater, has been discovered by Lookout security researchers. The latest versions of this malware have been updated with enhanced capabilities, posing a significant threat to privacy and security.

### Expanded Data Collection Capabilities

The updated DCHSpy variants now have the ability to collect a broader range of sensitive data from Android devices, including WhatsApp data, account information, contacts, SMS messages, location data, call logs, audio, and photos. Moreover, it has been found that the malware can search for and exfiltrate sensitive files and folders stored on the device [1][2].

### Disguised as VPN Apps

In an effort to deceive users, the malware has been disguised as legitimate VPN apps, such as 'Earth VPN' and 'Comodo VPN'. These apps are believed to have been distributed via Telegram channels [2].

### Recent Developments and Distribution Channels

The latest samples of DCHSpy emerged roughly one week after Israeli strikes on Iranian nuclear sites in June 2025, suggesting heightened activity amid increased tensions. The malware is suspected to be distributed through various channels, including Telegram channels, phishing emails, messaging apps, and texts [1].

### Historical Context and Implications

MuddyWater, associated with Iran's Ministry of Intelligence and Security, first emerged in 2019. DCHSpy was first documented by Lookout in 2024 [2][3]. The continued development and deployment of DCHSpy reflect the ongoing cyber espionage activities by Iranian state-aligned groups. These efforts are part of broader surveillance attempts by nation-states during times of conflict [3].

One of the Comodo VPN distribution pages advertised in English that the service is used by activists and journalists all over the world. However, it is important to note that Iran is cracking down on its citizens following the ceasefire with Israel [4]. The new DCHSpy code collects victims' WhatsApp data and can search for and exfiltrate sensitive files and folders stored on the device. WhatsApp is a juicy target for intelligence agencies due to its end-to-end encryption, making it necessary for spies to hijack devices to eavesdrop on conversations [4].

The latest DCHSpy campaign is believed to target Iranian dissidents, activists, and journalists [4]. One of the Earth VPN samples has "Starlink" in the file name, suggesting that the malware slingers may be using Starlink as a lure to entice victims into downloading DCHSpy [4]. The VPN lure is commonly used in Iran due to the country's closed nature, according to Lookout security intel researcher Alemdar Islamoglu [4].

MuddyWater has historically targeted government and private entities in various sectors, such as telecommunications, local government, defense, and oil and natural gas across the Middle East, Asia, Africa, Europe, and North America [3]. As the situation in the Middle East continues to evolve, it is crucial to remain vigilant against such cyber threats.

[1] - Lookout Security Blog: [https://www.lookout.com/blog/dchspy-android-spyware-linked-to-iranian-mois] [2] - Lookout Security Blog: [https://www.lookout.com/blog/muddywater-espionage-crew-linked-to-irans-mois-emerges-with-new-android-spyware] [3] - Lookout Security Blog: [https://www.lookout.com/blog/muddywater-espionage-crew-linked-to-irans-mois-emerges-with-new-android-spyware-targeting-journalists-and-activists] [4] - Lookout Security Blog: [https://www.lookout.com/blog/dchspy-android-spyware-linked-to-iranian-mois-disguised-as-vpn-apps]

  1. The enhanced DCHSpy malware, often linked to Iran's Ministry of Intelligence and Security (MOIS), has been updated with new capabilities, posing a significant threat in the realm of data-and-cloud-computing and cybersecurity.
  2. These updates now enable DCHSpy to collect a broader range of sensitive data, such as WhatsApp data, account information, contacts, SMS messages, location data, call logs, audio, photos, and even search for and exfiltrate sensitive files and folders on mobile devices.
  3. To deceive users, the malware is disguised as legitimate VPN apps like 'Earth VPN' and 'Comodo VPN', which are suspected to be distributed via Telegram channels.
  4. Recent developments suggest that the latest samples of DCHSpy emerged roughly one week after Israeli strikes on Iranian nuclear sites, indicating heightened activity as geopolitical tensions rise.
  5. Historically, MuddyWater, associated with Iran's Ministry of Intelligence and Security, has targeted government and private entities across various sectors, including telecommunications, political institutions, and general news outlets.
  6. Amidst the evolving situation in war-and-conflicts regions, it is crucial to remain vigilant against such threats in the technology landscape, as cyber attacks can significantly impact crime-and-justice and impact the functioning of society as a whole.

Read also:

    Related

    Latest