- Researchers found a new spyware campaign mainly targeted at Iranian Android VPN users
- DCHSPY is geared by Iranian Cyber -Spionage -Group Muddywater, which is believed to have connections with Iran’s Ministry of Intelligence and Security
- The campaign started a week after the Israel-IRan conflict began while the VPN demand Skyrocket all over the country
Researchers have discovered a new Iran-bound spyware campaign that is mostly aimed at Android VPN users.
The team at Security Software Provider, Lookout, found a new version of DCHSPY, an Android Spyware that masks as legitimate VPN apps or other applications. This includes Starlink, a satellite -internet connection service offered by SpaceX.
According to the experts’ conclusions, the Malware campaign was deployed by the Hacking Group Muddywater just a week after the Israel-IRan conflict began to began-like when the VPN demand Skyrocketed in Iran when citizens looked for ways to bypass new internet restrictions.
DCHSPY 2025 – What is the risk?
As experts explain, DCHSPY is an intrusive piece of software that can collect users’ sensitive information such as WhatsApp data, contacts, SMS, files, location and call logs while even detecting audio and taking photos.
First discovered in July 2024, DCHSPY is maintained by Muddywater Hackers, a group assumed to have connections with Iran’s Ministry of Intelligence and Security.
Experts have now discovered four new samples of DCHSPY.
“These new samples show that Muddywater has continued to develop monitoringware with new opportunities – this time exhibiting the ability to identify and exfilter data from files of interest on the device as well as WhatsApp data,” Lookout explains.
Specifically, hackers appear to use two malicious VPN services, called Earthvpn and Comodovpn, as a way of spreading malware.
Hidevpn was another fake VPN app previously used to implement DCHSPY.
According to Iranian Information Security Analyst, Azam Jangrevi, the latest finds are a sharp reminder of how sophisticated and targeted mobile surveillance has become.
“What is particularly about is its use of reliable platforms such as Telegram to distribute malicious APKs, often under Dekke of tools intended to protect privacy,” Jangrevi told Techradar.
The risk of Iranians is especially high, given that citizens, as mentioned earlier, have increasingly turned to the best VPN apps as the Internet becomes more and more limited.
How to remain safe
Jangrrevi recommends that anyone who wants to download a new VPN service or any other application for that matter must be vigilant.
“Avoid downloading apps from unofficial sources even if they seem to offer improved privacy. Stick to verified app stores, check app permits and use mobile security solutions that can detect threats like DCHSPY,” Jangrevi said.
If you are in a high-risk region or business such as journalism or activism, Jangrevi also suggests using hardware-based security keys and encrypted messaging apps monitored by independent researchers.
She said: “This incident emphasizes the need for greater attention to mobile pantyheds and the importance of digital hygiene in an increasingly hostile cyber landscape.”
