Researchers discover new Android spyware disguised as legitimate VPNs

Published: 23 July 2025
Last updated: 23 July 2025
dark grey android bot logo with dark grey broken vpn shield
By Cybernews.

Security researchers from cybersecurity firm Lookout have found new versions of DCHSpy disguised as authentic VPNs or banking applications.

DCHSpy is Android spyware developed and maintained by MuddyWater, a cyber espionage group believed to be affiliated with Iran’s Ministry of Intelligence and Security.

According to Lookout, this group has targeted numerous government and private entities across various sectors, including telecommunications, local government, defense, and oil and natural gas, in the Middle East, Asia, Africa, Europe, and North America.

ADVERTISEMENT

In June 2025, one week after the start of the Israel-Iran conflict, security researchers found evidence of four new samples of DCHSpy that were being deployed against adversaries. The spyware disguised itself as legitimate apps, such as Earth VPN, Comodo VPN, and Hide VPN, and was distributed via Telegram.

Instead of connecting users with VPN servers around the world, the spyware collects personal and sensitive user data, including contact information, SMS messages, location data, call logs, WhatsApp data, files stored on a device, audio fragments by controlling the microphone, and photos by controlling the camera.

Researchers suggest that the new samples of DCHSpy are using lures centered around Starlink, a satellite constellation designed to offer high-speed internet access to remote and rural areas around the world. This makes sense: as soon as the Israel-Iran conflict broke out, the Iranian government imposed an internet outage on the Iranian people. Starlink could help them get back online.

Konstancija Gasaityte profile chrissw Neilc adi
Stay informed and get our latest stories on Google News
Google News Follow us

DCHSpy uses the same infrastructure as SandStrike, an Android spyware that was discovered by Kaspersky in 2022. Lookout researchers found that the hardcoded Command and Control (C2) IP address in the SandStrike sample was also used multiple times to deploy a PowerShell Remote Access Trojan (RAT) attributed to MuddyWater.

Once data is collected from an infected device, it is compressed and encrypted with a password it receives from the C2 server. Following additional commands from the C2 server, the data is then uploaded to the destination Secure File Transfer Protocol (SFTP) server.

Lookout says it will continue to track MuddyWater’s activity and inform the public of any relevant updates.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked