
Cybersecurity researchers have been distributed to targets by unearthing new Android Spyware artifacts that are likely to belong to Iran’s Ministry of Information Security (MOI) and embellishing the VPN app and StarLink, a satellite internet connection service provided by SpaceX.
Mobile security vendor Lookout said it discovered four samples of surveillance wear tools that it tracks as DCHSPY a week after the Israeli-Iran conflict last month. The number of people who have installed these apps is not clear.
“DCHSPY can collect WhatsApp data, accounts, contacts, SMS, files, locations, call logs, and record audio and take photos,” said security researchers Alemdar Islamoglu and Justin Albrecht.

The DCHSPY, first detected in July 2024, is rated as handicraft by Muddywater, an Iranian nation-state group associated with MOI. The hacking crew is also known as Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly mercury), seedlings, static kittens, TA450, and Yellowknix.
The early repetition of DCHSPY has been identified as targeting English and Falsi speakers through telegram channels using themes that run counters to the Iranian regime. Given the use of VPN lures to promote malware, it is possible that dissidents, activists and journalists are targets for their activities.
The newly identified DCHSPY variant is suspected to have been deployed against the enemy in the wake of recent conflicts in the region. Apparently useful services like Regional VPN (“com.earth.earth_vpn”), Comodo vpn (“com.comodoapp.comodovpn”), Hide vpn (“com.hv.hide_vpn”)

Interestingly, I found that one of the Earth VPN APP samples is distributed in the form of an APK file using the name “Starlink_vpn(1.3.0)-3012(1).apk”.
It is worth noting that Starlink’s satellite internet service was activated in Iran last month amid a government-imposed internet blackout. But a few weeks later, the country’s parliament voted to ban its use against fraudulent operations.
The modular trojan, DCHSPY is equipped to collect a wide range of data, including device-signed accounts, contacts, SMS messages, call logs, files, locations, ambient audio, photos, WhatsApp information, and more.
DCHSPY also shares infrastructure with another Android malware known as SandStrike. It targets Persian-speaking individuals by posing in November 2022 by Kaspersky as a seemingly harmless VPN application.

DCHSPY Discovery is the latest instance of Android spyware used to target individuals and groups in the Middle East. Other documented malware strains include AridSpy, Bouldspy, Guardzoo, Ratmilad, and Spynote.
“DChspy uses similar tactics and infrastructure to Sandstrike,” Lookout says. “It is distributed to target groups and individuals by leveraging malicious URLs that are shared directly through messaging apps such as Telegram.”
“These recent samples of DCHSPY show the continued development and use of surveillance wear, particularly as the Middle East situation evolves, especially as Iran cracks down on its citizens following the ceasefire with Israel.”
Source link