Cybersecurity researchers at Lookout have uncovered four new samples of DCHSpy, a sophisticated Android surveillance malware, discovered just one week after the escalation of the Israel-Iran conflict.
This discovery reveals the ongoing evolution of mobile espionage tools deployed by Iranian state-sponsored actors during times of geopolitical tension.
Advanced Surveillance Capabilities Target Critical Data
DCHSpy represents a comprehensive mobile surveillance platform developed and maintained by MuddyWater, a cyber espionage group believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
The malware demonstrates extensive data collection capabilities, systematically harvesting accounts logged into infected devices, contacts, SMS messages, stored files, and precise location data.
The malware’s most concerning features include its ability to access device hardware covertly for surveillance purposes.
DCHSpy can commandeer the device’s microphone to record audio conversations and take control of the camera to capture photographs without user knowledge.
Additionally, the malware targets WhatsApp data explicitly, recognizing the messaging platform’s widespread use for sensitive communications.
StarLink Lures and VPN Disguises Enable Distribution
The newest DCHSpy samples reveal sophisticated social engineering tactics designed to exploit current events.
Researchers identified that threat actors are leveraging StarLink-themed lures, capitalizing on reports that the satellite internet service offered connectivity to Iranian citizens during government-imposed internet outages following the recent hostilities.
The malware typically disguises itself as legitimate applications, particularly VPN services and banking applications.
Distribution occurs through malicious URLs shared via messaging platforms, such as Telegram, with actors currently promoting two fake VPN services: EarthVPN and ComodoVPN.
These fraudulent services claim operations in Romania and Canada, respectively, using hijacked business addresses and contact information from these countries to enhance their legitimacy.
Once data collection occurs, DCHSpy employs advanced evasion techniques.
The malware compresses and encrypts harvested data using passwords received from command and control servers before uploading the information to destination Secure File Transfer Protocol (SFTP) servers.
Iranian Mobile Espionage Infrastructure Expands
DCHSpy shares infrastructure with SandStrike, another Android surveillance tool targeting Baháʼí practitioners, demonstrating the interconnected nature of Iranian mobile espionage operations.
Lookout researchers have identified that hardcoded command and control IP addresses in SandStrike samples were also used to deploy PowerShell remote access trojans attributed to MuddyWater.
This discovery represents part of a broader pattern of Iranian mobile surveillance activities. Lookout currently tracks 17 unique mobile malware families tied to at least 10 Iranian advanced persistent threat groups, with activity spanning over a decade.
The continued development of DCHSpy indicates persistent investment in mobile espionage capabilities as regional conflicts evolve, particularly as Iran monitors domestic dissent following recent ceasefire agreements.
Indicators of Compromise (IoCs)
SHA1s
- 556d7ac665fa3cc6e56070641d4f0f5c36670d38
- 7010e2b424eadfa261483ebb8d2cca4aac34670c
- 8f37a3e2017d543f4a788de3b05889e5e0bc4b06
