- Researchers found a new spyware campaign mainly targeting Iranian Android VPN users
- DCHSpy is leveraged by the Iranian cyber espionage group MuddyWater, which is thought to have links with Iran’s Ministry of Intelligence and Security
- The campaign started one week after the Israel-Iran conflict began, while VPN demand skyrocketed across the country
Researchers have discovered a new Iran-linked spyware campaign that mostly targets Android VPN users.
The team at security software provider, Lookout, found a new version of DCHSpy, an Android spyware that masquerades as legitimate VPN apps or other applications. This includes Starlink, a satellite internet connection service offered by SpaceX.
The malware campaign, according to experts’ findings, was deployed by the hacking group MuddyWater only a week after the Israel-Iran conflict began – exactly when VPN demand skyrocketed in Iran as citizens looked for ways to bypass new internet restrictions.
DCHSpy 2025 – what are the risk?
As experts explain, DCHSpy is an intrusive piece of software that can collect users’ sensitive information like WhatsApp data, contacts, SMS, files, location, and call logs, while even recording audio and taking photos.
First detected in July 2024, DCHSpy is maintained by MuddyWater hackers, a group thought to have links with Iran’s Ministry of Intelligence and Security.
Experts have now discovered four new samples of DCHSpy.
“These new samples show that MuddyWater has continued to develop the surveillanceware with new capabilities – this time exhibiting the ability to identify and exfiltrate data from files of interest on the device as well as WhatsApp data,” explains Lookout.
Specifically, hackers appear to be using two malicious VPN services, called EarthVPN and ComodoVPN, as a way to spread the malware.
HideVPN was another fake VPN app previously used to deploy DCHSpy.
According to Iranian Information Security Analyst, Azam Jangrevi, the latest findings are a stark reminder of how sophisticated and targeted mobile surveillance has become.
“What’s especially concerning is its use of trusted platforms like Telegram to distribute malicious APKs, often under the guise of tools meant to protect privacy,” Jangrevi told TechRadar.
The risk for Iranians is especially high, considering that, as mentioned earlier, citizens have been increasingly turning to the best VPN apps as the internet becomes increasingly restricted.
How to stay safe
Jangrevi recommends anyone looking to download a new VPN service, or any other application for that matter, to be vigilant.
“Avoid downloading apps from unofficial sources, even if they appear to offer enhanced privacy. Stick to verified app stores, scrutinize app permissions, and use mobile security solutions that can detect threats like DCHSpy,” said Jangrevi.
If you’re in a high-risk region or profession such as journalism or activism, Jangrevi also suggests using hardware-based security keys and encrypted messaging apps vetted by independent researchers.
She said: “This incident underscores the need for greater awareness around mobile threat vectors and the importance of digital hygiene in an increasingly hostile cyber landscape.”
