Connect with us

Security & Cloud

Iran-Linked DCHSpy Android Malware Disguises as VPN and Starlink Apps to Target Dissidents
Advertisement

Security & Cloud

Apple Wallet to Add Passport-Linked Digital IDs — Here’s What Travelers Need to Know

Security & Cloud

183M Gmail Passwords Exposed: What the Synthient Infostealer Leak Means for Your Security

Security & Cloud

Blaqbonez Denies Cyber Harassment Allegations, Blames Music Industry Rival for “Orchestrated Smear Campaign”

Security & Cloud

AI-Powered Cyberattacks Target Hotels: What Travelers and Businesses Need to Know

Security & Cloud

Microsoft Warns of AI-Powered Phishing Attack Hidden in SVG Files

Security & Cloud

Google’s Gemini Hit by ‘Trifecta’ Flaws — What Prompt Injection Means for Cloud Security

Security & Cloud

Nigeria Plans a 90,000 km Fibre Optic Rollout — What that means for broadband, GDP and Nigeria’s digital future

Security & Cloud

RevengeHotels: AI-Enhanced Phishing and VenomRAT Are Stealing Hotel Guests’ Payment Data — Defenses and Practical Steps

Security & Cloud

Stellantis Confirms Customer Contact Data Breach After Third-Party Cyberattack

Security & Cloud

Iran-Linked DCHSpy Android Malware Disguises as VPN and Starlink Apps to Target Dissidents

A new Android spyware campaign is using fake VPN apps—and even a Starlink-themed installer—to spy on Iranian dissidents, journalists, and activists. According to cybersecurity firm Lookout, the malware, dubbed DCHSpy, is believed to be backed by Iran’s Ministry of Intelligence and Security (MOIS). And it’s not just sophisticated—it’s specifically designed to operate in silence.

What makes this spyware particularly dangerous isn’t just the data it collects, but how convincingly it masquerades as legitimate tools people rely on for privacy and uncensored internet access—especially in a region known for internet censorship and political crackdowns.

What Is DCHSpy and How Does It Work?

First detected in July 2024, DCHSpy is a modular Android trojan capable of stealing a broad range of personal data, including:

  • WhatsApp conversations
  • Account credentials
  • Call logs and contact lists
  • SMS messages
  • Photos and audio recordings
  • Device location and stored files

Once installed, it runs silently in the background, performing real-time surveillance without triggering any obvious red flags for the user.

Lookout researchers discovered four variants of DCHSpy apps pretending to be secure VPN services—like Earth VPN, Comodo VPN, and Hide VPN. One version was even named to imitate Starlink, SpaceX’s satellite internet service, using the filename:

starlink_vpn(1.3.0)-3012 (1).apk

This strategy is more than just clever branding—it’s tailored to exploit real-world political events.

Who’s Behind It?

The group suspected to be behind DCHSpy is MuddyWater, a state-aligned hacking unit linked to Iran’s MOIS. Also known under aliases like Seedworm, TA450, Static Kitten, Yellow Nix, and others, MuddyWater has been active in cyberespionage operations for years—targeting governments, NGOs, media, and opposition groups across the Middle East.

DCHSpy’s infrastructure also overlaps with SandStrike, another Android spyware discovered in 2022 that was similarly disguised as a VPN to infect Persian-speaking users.

Why Use Fake VPNs and Starlink Apps?

VPNs are popular among Iranian citizens who want to bypass censorship and access banned platforms. This makes VPN-themed lures a perfect Trojan horse—people download what they believe is a tool for digital freedom, only to install spyware that hands

Related Topics:
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copyright © 2022 Inventrium Magazine