TZUTC: -0500
MSGID: 1258.consprcy@1:2320/105 2ce629e3
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Beware of Iran-linked fake VPN apps found to spy on Android users

Date:
Tue, 22 Jul 2025 16:17:07 +0000

Description:
While VPN demand has soared across Iran since June 13, researchers discovered
a new Android spyware campaign starting one week after the Israel-Iran
conflict began.

FULL STORY

Researchers have discovered a new Iran-linked spyware campaign that mostly
targets Android VPN users. 

The team at security software provider, Lookout, found a new version of
DCHSpy, an Android spyware that masquerades as legitimate VPN apps or other
applications. This includes Starlink, a satellite internet connection service
offered by SpaceX. 

The malware campaign, according to experts' findings , was deployed by the
hacking group MuddyWater only a week after the Israel-Iran conflict began
exactly when VPN demand skyrocketed in Iran as citizens looked for ways to
bypass new internet restrictions. DCHSpy 2025  what are the risk? A virtual
private network (VPN) is security software that encrypts all internet
connections while spoofing a user's real IP address location. The latter 
skill is exactly what's needed to bypass geo-restrictions like those in place
in Iran right now.

As experts explain, DCHSpy is an intrusive piece of software that can collect
users' sensitive information like WhatsApp data, contacts, SMS, files,
location, and call logs, while even recording audio and taking photos. 

First detected in July 2024, DCHSpy is maintained by MuddyWater hackers, a
group thought to have links with Iran's Ministry of Intelligence and 
Security. 

Experts have now discovered four new samples of DCHSpy. 

"These new samples show that MuddyWater has continued to develop the
surveillanceware with new capabilities  this time exhibiting the ability to
identify and exfiltrate data from files of interest on the device as well as
WhatsApp data," explains Lookout. 

Specifically, hackers appear to be using two malicious VPN services, called
EarthVPN and ComodoVPN, as a way to spread the malware . 

HideVPN was another fake VPN app previously used to deploy DCHSpy.

According to Iranian Information Security Analyst, Azam Jangrevi, the latest
findings are a stark reminder of how sophisticated and targeted mobile
surveillance has become. 

"Whats especially concerning is its use of trusted platforms like Telegram to
distribute malicious APKs, often under the guise of tools meant to protect
privacy," Jangrevi told TechRadar. 

The risk for Iranians is especially high, considering that, as mentioned
earlier, citizens have been increasingly turning to the best VPN apps as the
internet becomes increasingly restricted.

How to stay safe 

Jangrevi recommends anyone looking to download a new VPN service, or any 
other application for that matter, to be vigilant. 

"Avoid downloading apps from unofficial sources, even if they appear to offer
enhanced privacy. Stick to verified app stores, scrutinize app permissions,
and use mobile security solutions that can detect threats like DCHSpy," said
Jangrevi. 

If youre in a high-risk region or profession such as journalism or activism,
Jangrevi also suggests using hardware-based security keys and encrypted
messaging apps vetted by independent researchers. 

She said: "This incident underscores the need for greater awareness around
mobile threat vectors and the importance of digital hygiene in an 
increasingly hostile cyber landscape."

======================================================================
Link to news story:
https://www.techradar.com/vpn/vpn-privacy-security/beware-iran-linked-fake-vpn
-apps-found-to-spy-on-android-users

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426