New Android Spyware Poses as VPN to Steal Your Data

Cybersecurity researchers have uncovered a sophisticated new Android spyware campaign linked to Iran’s state-sponsored hacking group, MuddyWater. The malware, known as DCHSpy, is being distributed through fake VPN applications and is designed to harvest personal data from victims’ devices. This activity spiked shortly after the outbreak of hostilities between Iran and Israel.

State-Sponsored Surveillance Tied to Geopolitical Conflict

The hacking group behind DCHSpy, MuddyWater, is believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The group has a long history of espionage campaigns targeting organizations and individuals across the Middle East, as well as in Asia, Europe, and North America.

Lookout, a mobile security firm, reported that a new wave of DCHSpy samples appeared roughly one week after Israeli strikes on Iranian nuclear infrastructure. These samples were camouflaged as VPN apps like “Earth VPN,” “Comodo VPN,” and “Hide VPN.” A version named “StarLink VPN” appears to reference reports of SpaceX offering internet access to Iranians during government-imposed outages, suggesting attackers are leveraging real-world events to boost credibility.

Fig 1. The malware disguised as various apps. Source: Lookout

 These apps were distributed through Telegram, a popular messaging platform in the region, and targeted both English- and Farsi-speaking users. The malware was often advertised with politically charged themes intended to attract dissidents, activists, or journalists critical of the Iranian regime.

Broad Access to Private Communications and Media

Once installed, DCHSpy grants attackers deep access to a victim’s device. The spyware collects a wide range of data, including:

• Contacts, SMS messages, and call logs
• Location data and files stored locally
• WhatsApp communications
• Audio recordings via the microphone
• Photos taken through the device’s camera

The spyware operates in a modular fashion, meaning it can be updated or adjusted remotely depending on the target. After gathering data, it compresses and encrypts the information using passwords received from a command-and-control server, and sends the payload to secure SFTP servers controlled by the attackers.

The malware infrastructure overlaps with that of SandStrike, another Android spyware linked to MuddyWater. Researchers identified shared command-and-control servers and reused code, indicating an integrated and ongoing surveillance effort.

Fake Apps Exploit Humanitarian Needs

The use of VPN-themed malware reflects a broader strategy by threat actors to exploit users’ need for secure internet access in restrictive environments. By impersonating trusted services during times of political unrest and internet blackouts, attackers are able to distribute spyware under the guise of tools that promise safety and privacy.

We recommend avoiding app downloads from messaging platforms or unofficial sources. Users should rely on verified app stores, especially when seeking tools related to internet privacy or bypassing censorship.