A hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS) has been deploying a new version of the Android spyware DCHSpy in the wake of the recent Israel-Iran conflict, according to mobile security firm Lookout.
Known as MuddyWater and also tracked as Mango Sandstorm, Mercury, Seedworm, and Static Kitten, the group has been active since at least 2017 and is known for espionage operations targeting the Middle East.
Lookout reports that new DCHSpy samples emerged just one week after hostilities began, delivered under the guise of VPN and banking apps with politically charged lures.
The spyware shares infrastructure with SandStrike, another Android surveillance tool previously attributed to the group. Recent DCHSpy samples have been disguised as apps like Earth VPN, Comodo VPN, Hide VPN, and Hazrat Eshq, and promoted on Telegram channels in both English and Farsi. Some campaigns reportedly exploited themes such as the availability of Starlink internet services in Iran.
The malware is capable of collecting a wide range of personal data from infected devices, including user accounts, contacts, SMS messages, local files, call logs, location data, WhatsApp information, and recordings from the microphone and camera. The data is then encrypted and transmitted to the attackers’ infrastructure via a secure FTP connection.
The spyware is delivered through direct links sent over messaging platforms like Telegram, using fake VPN sites as bait. Its modular design allows it to adapt its spying capabilities based on the target.
Lookout has documented at least 17 mobile malware families used by 10 different Iranian advanced persistent threat (APT) groups.
