Beware of Iran-linked fake VPN apps found to spy on Android users
Date:
Tue, 22 Jul 2025 16:17:07 +0000
Description:
While VPN demand has soared across Iran since June 13, researchers discovered
a new Android spyware campaign starting one week after the Israel-Iran
conflict began.
FULL STORY
Researchers have discovered a new Iran-linked spyware campaign that mostly targets Android VPN users.
The team at security software provider, Lookout, found a new version of
DCHSpy, an Android spyware that masquerades as legitimate VPN apps or other applications. This includes Starlink, a satellite internet connection service offered by SpaceX.
The malware campaign, according to experts' findings , was deployed by the hacking group MuddyWater only a week after the Israel-Iran conflict began exactly when VPN demand skyrocketed in Iran as citizens looked for ways to bypass new internet restrictions. DCHSpy 2025 what are the risk? A virtual private network (VPN) is security software that encrypts all internet connections while spoofing a user's real IP address location. The latter
skill is exactly what's needed to bypass geo-restrictions like those in place in Iran right now.
As experts explain, DCHSpy is an intrusive piece of software that can collect users' sensitive information like WhatsApp data, contacts, SMS, files, location, and call logs, while even recording audio and taking photos.
First detected in July 2024, DCHSpy is maintained by MuddyWater hackers, a group thought to have links with Iran's Ministry of Intelligence and
Security.
Experts have now discovered four new samples of DCHSpy.
"These new samples show that MuddyWater has continued to develop the surveillanceware with new capabilities this time exhibiting the ability to identify and exfiltrate data from files of interest on the device as well as WhatsApp data," explains Lookout.
Specifically, hackers appear to be using two malicious VPN services, called EarthVPN and ComodoVPN, as a way to spread the malware .
HideVPN was another fake VPN app previously used to deploy DCHSpy.
According to Iranian Information Security Analyst, Azam Jangrevi, the latest findings are a stark reminder of how sophisticated and targeted mobile surveillance has become.
"Whats especially concerning is its use of trusted platforms like Telegram to distribute malicious APKs, often under the guise of tools meant to protect privacy," Jangrevi told TechRadar.
The risk for Iranians is especially high, considering that, as mentioned earlier, citizens have been increasingly turning to the best VPN apps as the internet becomes increasingly restricted.
How to stay safe
Jangrevi recommends anyone looking to download a new VPN service, or any
other application for that matter, to be vigilant.
"Avoid downloading apps from unofficial sources, even if they appear to offer enhanced privacy. Stick to verified app stores, scrutinize app permissions,
and use mobile security solutions that can detect threats like DCHSpy," said Jangrevi.
If youre in a high-risk region or profession such as journalism or activism, Jangrevi also suggests using hardware-based security keys and encrypted messaging apps vetted by independent researchers.
She said: "This incident underscores the need for greater awareness around mobile threat vectors and the importance of digital hygiene in an
increasingly hostile cyber landscape."
======================================================================
Link to news story:
https://www.techradar.com/vpn/vpn-privacy-security/beware-iran-linked-fake-vpn -apps-found-to-spy-on-android-users
$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)