New DCHSpy Android Malware Targets WhatsApp, Call Logs, Audio, and Photos

Security researchers at Lookout have identified four novel samples of DCHSpy, an advanced Android surveillanceware attributed to the Iranian threat actor group MuddyWater, believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

These samples emerged approximately one week following the onset of the Israel-Iran conflict, highlighting the rapid adaptation of malware tooling in response to regional hostilities.

DCHSpy, first protected against by Lookout customers since 2024, functions as a modular implant designed for comprehensive data exfiltration from infected devices.

MuddyWater’s Evolving Surveillanceware

It systematically harvests sensitive information including logged-in accounts, contact lists, SMS messages, stored files, geolocation data, call logs, ambient audio recordings via microphone hijacking, and photographic captures through camera control.

Notably, the malware extends its reach to WhatsApp data, enabling attackers to intercept communications from this popular messaging platform.

MuddyWater, known for targeting entities in telecommunications, defense, oil and natural gas, and government sectors across the Middle East, Asia, Africa, Europe, and North America, appears to be leveraging DCHSpy in targeted campaigns against perceived adversaries, particularly in the context of Iran’s internal crackdowns and external conflicts.

The malware’s infrastructure overlaps with SandStrike, another Android surveillanceware previously reported by Kaspersky in 2022, which targeted Baháʼí practitioners.

Lookout’s analysis reveals shared command-and-control (C2) IP addresses, including those used for deploying PowerShell remote access trojans (RATs) linked to MuddyWater.

Both families employ similar tactics, techniques, and procedures (TTPs), such as distribution via malicious URLs disseminated through messaging apps like Telegram.

The latest DCHSpy iterations introduce enhanced capabilities, including targeted file identification and exfiltration, alongside WhatsApp data scraping, allowing for more precise intelligence gathering.

Data collected is compressed, encrypted with C2-derived passwords, and uploaded to threat actor-controlled SFTP servers, ensuring stealthy exfiltration.

This modular architecture underscores MuddyWater’s ongoing development efforts, adapting the malware to exploit current events for social engineering lures.

StarLink-Themed Lures

Amid Iran’s government-imposed internet outages following hostilities with Israel, DCHSpy’s new variants are suspected of using StarLink-themed lures, capitalizing on the satellite internet provider’s offers to restore connectivity for affected Iranians.

One sample, with SHA1 hash 9dec46d71289710cd09582d84017718e0547f438, was disguised as “starlink_vpn(1.3.0)-3012 (1).apk,” masquerading as a legitimate VPN application.

This aligns with MuddyWater’s established playbook of impersonating benign apps, such as VPNs or banking tools, to deceive users.

Distribution occurs through Telegram channels promoting fictitious services like EarthVPN and ComodoVPN, which feature anti-regime rhetoric in English and Farsi to attract dissidents, activists, and journalists.

These channels lead to simplistic webpages hosting the malicious APKs, with fabricated details like Canadian or Romanian business addresses to lend credibility.

This mirrors prior campaigns, such as the July 2024 HideVPN operation, and reflects a broader pattern of Iranian APTs employing mobile surveillanceware, including Lookout’s 2023 disclosure of BouldSpy used by Iran’s FARAJA law enforcement.

Lookout’s ongoing research tracks 17 unique mobile malware families linked to at least 10 Iranian advanced persistent threats (APTs) over a decade, alongside commodity tools like Metasploit, AndroRat, and AhMyth.

Recent parallels include the Houthi-linked GuardZoo and SpyMax campaigns against Syrian forces, illustrating nation-states’ use of mobile implants for monitoring during conflicts.

As the Middle East situation evolves post-ceasefire, DCHSpy’s continued refinement signals persistent threats, with Lookout committing to monitor MuddyWater and update threat intelligence subscribers.

Indicators of Compromise (IoCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now