Beware – Iran-linked fake VPN apps found to spy on Android users

News
By published

DCHSpy is a spyware leveraged by the Iranian cyber espionage group MuddyWater

malware
Image Credit: Flickr (Image credit: Shutterstock)
  • Researchers found a new spyware campaign mainly targeting Iranian Android VPN users
  • DCHSpy is leveraged by the Iranian cyber espionage group MuddyWater, which is thought to have links with Iran's Ministry of Intelligence and Security
  • The campaign started one week after the Israel-Iran conflict began, while VPN demand skyrocketed across the country

Researchers have discovered a new Iran-linked spyware campaign that mostly targets Android VPN users.

The team at security software provider, Lookout, found a new version of DCHSpy, an Android spyware that masquerades as legitimate VPN apps or other applications. This includes Starlink, a satellite internet connection service offered by SpaceX.

The malware campaign, according to experts' findings, was deployed by the hacking group MuddyWater only a week after the Israel-Iran conflict began – exactly when VPN demand skyrocketed in Iran as citizens looked for ways to bypass new internet restrictions.

DCHSpy 2025 – what are the risk?

Technology background with national flag of Iran. 3D rendering

virtual private network (VPN) is security software that encrypts all internet connections while spoofing a user's real IP address location. The latter skill is exactly what's needed to bypass geo-restrictions like those in place in Iran right now. (Image credit: Shutterstock / HTGanzo)

As experts explain, DCHSpy is an intrusive piece of software that can collect users' sensitive information like WhatsApp data, contacts, SMS, files, location, and call logs, while even recording audio and taking photos.

First detected in July 2024, DCHSpy is maintained by MuddyWater hackers, a group thought to have links with Iran's Ministry of Intelligence and Security.

Experts have now discovered four new samples of DCHSpy.

"These new samples show that MuddyWater has continued to develop the surveillanceware with new capabilities – this time exhibiting the ability to identify and exfiltrate data from files of interest on the device as well as WhatsApp data," explains Lookout.

Specifically, hackers appear to be using two malicious VPN services, called EarthVPN and ComodoVPN, as a way to spread the malware.

HideVPN was another fake VPN app previously used to deploy DCHSpy.

Screenshot of malicious VPN apps used by MuddyWater hackers to inject DCHSpy spyware

These are the malicious VPN apps used by MuddyWater hackers to inject DCHSpy spyware (Image credit: Lookout)

According to Iranian Information Security Analyst, Azam Jangrevi, the latest findings are a stark reminder of how sophisticated and targeted mobile surveillance has become.

"What’s especially concerning is its use of trusted platforms like Telegram to distribute malicious APKs, often under the guise of tools meant to protect privacy," Jangrevi told TechRadar.

The risk for Iranians is especially high, considering that, as mentioned earlier, citizens have been increasingly turning to the best VPN apps as the internet becomes increasingly restricted.

How to stay safe

Jangrevi recommends anyone looking to download a new VPN service, or any other application for that matter, to be vigilant.

"Avoid downloading apps from unofficial sources, even if they appear to offer enhanced privacy. Stick to verified app stores, scrutinize app permissions, and use mobile security solutions that can detect threats like DCHSpy," said Jangrevi.

If you’re in a high-risk region or profession such as journalism or activism, Jangrevi also suggests using hardware-based security keys and encrypted messaging apps vetted by independent researchers.

She said: "This incident underscores the need for greater awareness around mobile threat vectors and the importance of digital hygiene in an increasingly hostile cyber landscape."

You might also like

TOPICS
Chiara Castro
Chiara Castro
News Editor (Tech Software)

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She believes an open, uncensored, and private internet is a basic human need and wants to use her knowledge of VPNs to help readers take back control. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, tech policies, and security software, with a special focus on VPNs, for TechRadar and TechRadar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.