This post is also available in:
עברית (Hebrew)
A recent cybersecurity investigation has revealed a fresh wave of Android spyware disguised as legitimate VPN and banking tools, raising new concerns over mobile espionage. The malware, identified as DCHSpy, is linked to the Iranian-aligned cyber group MuddyWater.
In June 2025, a week after tensions escalated between Israel and Iran, Lookout Security discovered four novel samples of DCHSpy being distributed via Telegram. These malicious apps imitated widely used services like Earth VPN, Comodo VPN, and Hide VPN. While purportedly offering secure connections, the spyware instead breaches devices to collect personal information—ranging from SMS messages, contact lists, and location history to WhatsApp conversations, call logs, stored files, microphone recordings, and camera images.
A notable aspect of this campaign is the exploitation of Starlink-themed bait. As Iran enforced internet restrictions at the onset of the conflict, the attackers leveraged the promise of satellite connectivity to entice users into downloading the malware—a tactic aligned with Iranian users’ rising interest in Starlink as an alternative internet route.
Under the hood, DCHSpy inherits large parts of its infrastructure from a previously identified spyware called SandStrike. Both operate using the same hardcoded Command and Control (C2) IP address, which has also been linked to a PowerShell-based Remote Access Trojan attributed to MuddyWater. Upon installation, the malware communicates with the C2 server to obtain encryption keys and upload stolen data via Secure FTP, after compressing and encoding it per instructions.
Security analysts emphasize the importance of vigilance in regions experiencing digital service disruptions. Downloads from unofficial sources, especially during crises, may expose devices to covert surveillance. Lookout has pledged to keep tracking MuddyWater’s activity and plans to share updates as further details unfold.
The emergence of DCHSpy underscores the growing sophistication of spyware tactics that merge geopolitical events with technical deception—representing a significant cybersecurity challenge for users in affected zones worldwide.
