Spyware Uses Starlink Name to Trick Iranians Desperate for Unfiltered Internet

An Android-based spyware program is using the Starlink name to trick Iran-based web users into installing it, according to researchers at cybersecurity vendor Lookout.

The company has linked the spyware program, dubbed DCHSpy, to the Iranian state-sponsored group MuddyWater, a unit that allegedly works in Iran’s Ministry of Intelligence and Security, citing internet domains that match earlier spyware attacks tied to the group. The spyware can steal data such as call logs, location data, and SMS messages, take photos and record audio.

Although the spyware was flagged last year, Lookout spotted new versions of DCHSpy posing as VPN apps. Following Israeli and US bombing campaigns on Iran, the country restricted access to the internet to thwart Israeli cyberattacks and quash dissent. VPN usage then surged.

The spyware samples

(Credit: Lookout)

The four recovered spyware samples used the names “Earth VPN” and “Comodo VPN” to phish users looking for access to uncensored internet.

While examining the spyware samples, Lookout also uncovered the use of the Starlink name. “One of the Earth VPN samples, SHA1:9dec46d71289710cd09582d840177180547f438, was uploaded with an APK filename of starlink _ vpn(1.3.0)-3012 (1).apk,” the company said. “This may indicate that DCHSpy VPN samples are also being spread with Starlink lures, especially given recent reports of Starlink offering internet services to the Iranian population during the internet outage imposed by the Iranian government following hostilities between Israel and Iran.”

Since 2022, SpaceX has enabled Starlink access in Iran, despite the government’s protests. Local Iranian residents have smuggled the satellite internet hardware into the country, with one group estimating that Iran has over 100,000 Starlink users.

Recommended by Our Editors

Starlink dish

(Photo by Anonymous/Middle East Images/AFP via Getty Images)

In Iran, the satellite internet service stands out by providing internet access without government-imposed censorship. It looks like MuddyWater is trying to exploit the Starlink name to phish users desperate for that unfiltered broadband access. Lookout notes DCHSpy has been circulating through messaging apps such as Telegram.

“These new samples show that MuddyWater has continued to develop the surveillanceware with new capabilities—this time exhibiting the ability to identify and exfiltrate data from files of interest on the device as well as WhatsApp data,” the cybersecurity vendor added.