Four new samples of Android spyware, attributed to the Iranian Ministry of Intelligence and Security (MOIS), have emerged in the wake of increasing tensions between Iran and Israel. The malware, known as DCHSpy, has been discovered disguised as VPN applications called Earth VPN and Comodo VPN. Lookout security researchers first identified these samples on June 23, shortly after Israel launched missile strikes against Iranian nuclear facilities.
According to Lookout researcher Alemdar Islamoglu, one of the DCHSpy samples contained the name “Starlink,” raising concerns that the malware distribution may be leveraging the heightened interest in SpaceX’s global internet service as a means to entice users into downloading the spyware. Following an internet shutdown in Iran after the airstrikes, Elon Musk reportedly activated Starlink for Iranian users, which may serve as a lure for the malware developers.
These recent DCHSpy samples suggest an ongoing development effort within the surveillanceware landscape, particularly aimed at targeting Iranian dissidents both inside and outside the country. As the situation in the Middle East continues to evolve, Iranian authorities appear to be tightening their grip on dissenting voices, utilizing such cyber tools to monitor and suppress their citizens.
Lookout has attributed the surveillance operation to the MuddyWater hacking group, which has a history of cyber espionage against various sectors, including telecommunications and government. Following previous US sanctions against the MOIS in 2022 for cyber activities, concerns are mounting over the potential scale of the current cyber campaign. The technically advanced capabilities of DCHSpy include intercepting WhatsApp communications, which is particularly alarming due to the app’s end-to-end encryption. As such, any successful infiltration can lead to severe privacy breaches for targeted individuals.
The researchers have noted a significant increase in DCHSpy samples, with four discovered in just one week, an anomaly given that the total count of identified DCHSpy variants had been only 11 since 2021. The available telemetry from Iran remains limited, raising the question of how many individuals are currently being targeted. As an ongoing investigation continues, it is clear that these methods of digital surveillance pose a serious risk to freedom of expression in the region.