New DCHSpy Android Malware Steals WhatsApp data, call logs, Record Audio and Take Photos

A sophisticated new variant of DCHSpy Android surveillanceware, deployed by the Iranian cyber espionage group MuddyWater just one week after escalating tensions in the Israel-Iran conflict. 

This malicious tool represents a significant evolution in mobile surveillance capabilities, targeting sensitive communications data and leveraging current geopolitical events to deceive victims.

Key Takeaways
1. DCHSpy surveillanceware by Iran-linked MuddyWater APT deployed during Israel-Iran conflict.
2. Steals WhatsApp, calls, SMS, contacts, location data, and records audio/photos.
3. Spread via fake StarLink VPN apps on Telegram targeting dissidents.

DCHSpy: MuddyWater’s Evolving Mobile Threat

Lookout reports that the DCHSpy malware family has been attributed to MuddyWater, an Advanced Persistent Threat (APT) group believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). 

This cyber espionage organization has historically targeted diverse government and private entities across telecommunications, local government, defense, and oil sectors spanning the Middle East, Asia, Africa, Europe, and North America.

The timing of these new DCHSpy samples is particularly significant, emerging approximately one week after Israel’s initial strikes on Iranian nuclear infrastructure. 

The malware demonstrates continued development and sophistication, indicating sustained investment by state-sponsored actors in mobile surveillance capabilities. 

Technical analysis reveals that DCHSpy shares infrastructure with another Android malware known as SandStrike, which previously targeted Baháʼí practitioners. 

Researchers discovered that hardcoded command and control (C2) IP addresses were reused across multiple malware families, establishing clear operational links between campaigns.

Advanced Data Exfiltration Capabilities

DCHSpy operates as a modular surveillanceware platform with comprehensive data collection capabilities. 

The malware systematically harvests accounts logged into infected devices, contacts, SMS messages, files stored locally, precise location data, and complete call logs. 

Most concerningly, it can record audio by seizing control of device microphones and capture photos through camera manipulation.

The latest variants demonstrate enhanced WhatsApp data extraction capabilities, representing a significant evolution from previous versions. 

Once collected, sensitive data undergoes compression and encryption using passwords received directly from C2 servers. 

The encrypted payload is then transmitted to destination Secure File Transfer Protocol (SFTP) servers, ensuring secure exfiltration while evading detection.

One analyzed sample with SHA1 hash 9dec46d71289710cd09582d84017718e0547f438 was distributed with the APK filename starlink_vpn(1.3.0)-3012 (1).apk, indicating sophisticated naming conventions designed to appear legitimate.

MuddyWater employs social engineering tactics centered around timely political events and essential services. 

The group distributes malicious applications through Telegram channels, disguising DCHSpy as legitimate VPN services including EarthVPN and ComodoVPN. 

These distribution pages feature themes and language appealing to English and Farsi speakers with views contrary to the Iranian regime.

The incorporation of StarLink-themed lures appears strategically timed, coinciding with reports of StarLink offering internet services to Iranian citizens during government-imposed internet outages following Israel-Iran hostilities. 

This demonstrates how threat actors exploit humanitarian crises and connectivity needs to deliver surveillance tools to targeted populations, particularly activists and journalists operating in restrictive environments.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now