What Is DCHSpy?
A new Android spyware called DCHSpy has been discovered by cybersecurity researchers. It collects personal data from mobile devices and targets specific individuals in the Middle East.
The malware pretends to be VPN apps or Starlink-related services. Once installed, it secretly steals sensitive information like call logs, photos, WhatsApp chats, and audio recordings.
Security experts believe the spyware is linked to an Iranian nation-state group tied to the Ministry of Intelligence and Security (MOIS).
When and Where It Was Detected
DCHSpy was first identified in July 2024, shortly after conflict escalated between Israel and Iran. The malware was detected by a mobile security research team.
Four different versions of the spyware were uncovered. All appeared to target Android users in countries facing internet blackouts or restrictions.
Many of these apps were disguised as VPN tools like Earth VPN, Comodo VPN, and Hide VPN. One version even used a fake Starlink app name to attract users seeking internet access.
Who Is Being Targeted?
The malware is believed to focus on activists, dissidents, and journalists. Victims are usually people opposing the Iranian regime or involved in free speech movements.
These users were likely lured through Telegram channels and other messaging apps. Some apps used “Starlink” in their file name to mislead users during internet blackouts in Iran.
In one case, a sample was shared as “starlink_vpn(1.3.0)-3012 (1).apk,” suggesting the attackers were exploiting recent events for maximum impact.
What the Malware Can Do
DCHSpy is modular, which means it can be updated and customized. It collects:
- WhatsApp data
- Call logs and SMS
- Photos and audio recordings
- Location and files
- Contact lists and signed-in accounts
The spyware can also record sound from the phone and take pictures without the user’s knowledge. These features make it a powerful surveillance tool.
Connection to Other Malware
DCHSpy shares infrastructure with another Android spyware named SandStrike. That malware also pretended to be VPN software and targeted Persian-speaking users.
Both threats are part of a broader surveillance trend. Other known spyware families include AridSpy, RatMilad, GuardZoo, BouldSpy, and SpyNote.
The attackers use direct message links and malicious URLs sent through platforms like Telegram. These links lead users to download harmful APK files instead of real apps.
Why Android Is a Common Target
Unlike Apple’s App Store, the Android ecosystem allows third-party app installations. This makes it easier for cybercriminals to share harmful APKs outside of the Google Play Store.
Since Android devices are widely used in the region, they provide a large attack surface for spyware distribution, especially during politically unstable periods.
How to Stay Protected
To avoid spyware like DCHSpy, Android users should only install apps from trusted sources. Avoid clicking on links shared via messaging apps unless verified.
Security solutions with mobile threat detection can block spyware attempts in real time. These tools scan APKs, monitor unusual data access, and restrict unauthorized camera and mic use.
Some advanced systems can even stop spyware from activating or recording once installed, protecting users from surveillance threats.
Sleep well, we got you covered.
