Four new Android spyware samples linked to Iran’s intel agency

July 21, 2025 TH Author

Four new samples of Android spyware linked to the Iranian Ministry of Intelligence and Security (MOIS) that collects WhatsApp data, records audio and video, and hunts for files by name, surfaced shortly after the Iran-Israel conflict began.

Lookout security researchers spotted the four new DCHSpy malware samples, disguised as VPN apps called Earth VPN and Comodo VPN, beginning from June 23, about a week after Israel first launched missiles at Iran’s nuclear facilities.

Two of them were uploaded to VirusTotal, one with “Starlink,” SpaceX’s global internet player, in the file name, Lookout security intel researcher Alemdar Islamoglu told The Register.

Finding “Starlink” in one of the Earth VPN samples (SHA-1: 9dec46d71289710cd09582d84017718e0547f438) is important because it indicates that the malware slingers may be using Starlink lures to entice victims into downloading DCHSpy. Elon Musk reportedly turned on Starlink for Iranians after Tehran turned off internet services shortly after the airstrike.

“And for the rest, we went out and hunted for them, and found connected infrastructure, found the Comodo VPN apps, and were able to determine that these are also DCHSpy,” Islamoglu said.

“These most recent samples of DCHSpy indicate continued development and usage of the surveillanceware as the situation in the Middle East evolves, especially as Iran cracks down on its citizens following the ceasefire with Israel,” Islamoglu wrote in research published Monday.

Lookout attributes DCHSpy to MuddyWater, an espionage crew linked to Iran’s MOIS, which the US sanctioned in 2022 in response to its attacks against Albania and other “cyber-enabled activities against the United States and its allies.”

The gang historically targets government and private entities in various sectors, such as telecommunications, local government, defense, and oil and natural gas across the Middle East, Asia, Africa, Europe, and North America.

While the Lookout researchers can’t say for certain whose devices MOIS is trying to infect with the new Android spyware – telemetry from Iran is very limited – one of the Comodo VPN distribution pages spotted on Telegram advertised in English that the service “is used by activists and journalists all over the world.”

“VPN is one of the very common lures that we see being used in Iran because of the closed nature” of the country, Islamoglu said. “Overall, we think this campaign is targeting Iranian dissidents inside and outside of Iran, and also the activists and the journalists.”

The analysts don’t know how many victims are being surveilled under this latest campaign, but to give the attacks – or potential attacks – some perspective: Since 2021, Lookout has collected only 11 total DCHSpy samples. “So seeing four samples in one week is an anomaly,” Islamoglu said.

The team spotted one Telegram channel being used to distribute the spyware, but noted it’s possible that MuddyWater also sends the malware via phishing emails, messaging apps, or texts in the hopes that would-be victims download the snooping software.

After analyzing the new samples, the researchers uncovered a couple of new capabilities in addition to the malware’s existing ability to collect account information, contacts, SMS messages, location data, call logs, audio, and photos.

The more recent DCHSpy code also collects victims’ WhatsApp data, and can search for and exfiltrate sensitive files and folders stored on the device.

“WhatsApp, in general, is a juicy target for intelligence agencies since it’s end-to-end encrypted,” Christoph Hebeisen, director of security intelligence research at Lookout, told The Register.

This end-to-end encryption ensures that messages in transit can’t be decrypted, thus exposing sensitive and private communications. The only way for spies to read or listen to people’s WhatsApp conversations is to hijack devices, in this case by tricking someone into installing spyware on their phone, thus allowing them to eavesdrop on their victims.

Once it collects all the data it wants off of an infected device, the spyware compresses and encrypts the information with a password received from the command-and-control server and then uploads the stolen files to an attacker-controlled Secure File Transfer Protocol (SFTP) server. ®