- The researchers found a new spyware campaign mainly aimed at Iranian VPN users of Android
- Dchspy is leverage by the Iranian Muddywater spying group, which is believed to have links with the Iran’s Ministry of Intelligence and Security
- The campaign began a week after the Israel-Iran conflict began, while VPN’s demand shot throughout the country
Researchers have discovered a new Spyware campaign linked to Iran that is mainly addressed to Android VPN users.
The safety software supplier equipment, lookout, found a new version of DCHSPY, an Android Spyware that disguises legitimate VPN applications or other applications. This includes Starlink, a satellite Internet connection service offered by Spacex.
The malware campaign, according to experts’ findings, was deployed by the Muddywater piracy group only one week after the Israel-Iran conflict began, exactly when VPN’s demand shot in Iran while citizens were looking for ways to avoid new internet restrictions.
DCHSPY 2025 – What is the risk?
As experts explain, Dchspy is an intrusive software piece that can collect the confidential information of users, such as WhatsApp data, contacts, SMS, files, location and call records, while even record audio and take photos.
First detected in July 2024, Dchspy is maintained by Muddywater Hackers, a group that is believed to have links with the Iran Ministry of Intelligence and Security.
Experts have now discovered four new Dchspy samples.
“These new samples show that Muddywater has continued to develop the surveillance survey with new capabilities, this time exhibiting the ability to identify and exfere data file data on the device, as well as WhatsApp data,” explains Lookout.
Specifically, computer pirates seem to be using two malicious VPN services, called EarthVPN and Comodovpn, as a way to spread malware.
Hidevpn was another false VPN application that was previously used to implement DchSPY.
According to Iranian information security analyst Azam Jangrevi, the last findings are a marked reminder of how sophisticated and directed the mobile surveillance has become.
“What is especially worrying is its use of trusted platforms such as Telegram to distribute malicious APKs, often under the appearance of tools aimed at protecting privacy,” Jangrevi told Techradar.
The risk for Iranians is especially high, considering that, as mentioned above, citizens have increasingly resorted to the best VPN applications as the Internet is more and more.
How to stay safe
Jangrevi recommends that anyone looking to download a new VPN service, or any other application for the case, is attentive.
“Avoid downloading applications from unofficial sources, even if they seem to offer improved privacy. Stay with verified application stores, examine application permissions and use mobile safety solutions that can detect threats such as DCHSPY,” Jangrevi said.
If you are in a high -risk region or profession, such as journalism or activism, Jangrevi also suggests using security keys based on hardware and messaging applications issued by independent researchers.
She said: “This incident underlines the need for greater awareness about mobile threat vectors and the importance of digital hygiene in an increasingly hostile cyber landscape.”
