{"id":27422,"date":"2025-07-22T01:10:15","date_gmt":"2025-07-22T01:10:15","guid":{"rendered":"https:\/\/www.newsbeep.com\/us\/27422\/"},"modified":"2025-07-22T01:10:15","modified_gmt":"2025-07-22T01:10:15","slug":"spyware-uses-starlink-name-to-trick-iranians-desperate-for-unfiltered-internet","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/us\/27422\/","title":{"rendered":"Spyware Uses Starlink Name to Trick Iranians Desperate for Unfiltered Internet"},"content":{"rendered":"

An Android-based spyware<\/a> program is using the Starlink name to trick Iran-based web users into installing it, according to researchers at cybersecurity vendor Lookout<\/a>.<\/p>\n

The company has linked the spyware program, dubbed DCHSpy, to the Iranian state-sponsored group MuddyWater<\/a>, a unit that allegedly works in Iran’s Ministry of Intelligence and Security, citing internet domains that match earlier spyware attacks tied to the group. The spyware can steal data such as call logs, location data, and SMS messages, take photos and record audio.<\/p>\n

Although the spyware was flagged<\/a> last year, Lookout spotted new versions of DCHSpy posing as VPN<\/a> apps. Following Israeli and US bombing campaigns on Iran, the country restricted access to the internet to thwart Israeli cyberattacks and quash dissent. VPN usage then surged<\/a>.<\/p>\n

\"The<\/p>\n

\n (Credit: Lookout)\n<\/p>\n

The four recovered spyware samples used the names \u201cEarth VPN\u201d and \u201cComodo VPN\u201d to phish users looking for access to uncensored internet.<\/p>\n

While examining the spyware samples, Lookout also uncovered the use of the Starlink name. \u201cOne of the Earth VPN samples, SHA1:9dec46d71289710cd09582d840177180547f438, was uploaded with an APK filename of starlink _ vpn(1.3.0)-3012 (1).apk,\u201d the company said. \u201cThis may indicate that DCHSpy VPN samples are also being spread with Starlink lures, especially given recent reports of Starlink offering internet services to the Iranian population during the internet outage imposed by the Iranian government following hostilities between Israel and Iran.\u201d<\/p>\n

Since 2022, SpaceX has enabled Starlink access in Iran, despite the government\u2019s protests. Local Iranian residents have smuggled<\/a> the satellite internet hardware into the country, with one group estimating<\/a> that Iran has over 100,000 Starlink users.<\/p>\n

Recommended by Our Editors<\/p>\n

\"Starlink<\/p>\n

\n (Photo by Anonymous\/Middle East Images\/AFP via Getty Images)\n<\/p>\n

In Iran, the satellite internet service stands out by providing internet access without government-imposed censorship. It looks like MuddyWater is trying to exploit the Starlink name to phish users desperate for that unfiltered broadband access. Lookout notes DCHSpy has been circulating through messaging apps<\/a> such as Telegram<\/a>.\u00a0<\/p>\n

\u201cThese new samples show that MuddyWater has continued to develop the surveillanceware with new capabilities\u2014this time exhibiting the ability to identify and exfiltrate data from files of interest on the device as well as WhatsApp data,\u201d the cybersecurity vendor added.\u00a0<\/p>\n

\"5<\/p>\n

\"PCMag<\/p>\n

5 Things to Know About Starlink Satellite Internet<\/p>\n

<\/p>\n

\"Newsletter<\/p>\n

\n Get Our Best Stories!\n <\/p>\n

Stay Safe With the Latest Security News and Updates<\/p>\n

\"SecurityWatch<\/p>\n

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.<\/p>\n

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.<\/p>\n

\n By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use<\/a> and Privacy Policy<\/a>.\n <\/p>\n

Thanks for signing up!<\/p>\n

Your subscription has been confirmed. Keep an eye on your inbox!<\/p>\n

About Michael Kan<\/p>\n

\n Senior Reporter\n <\/p>\n

\"Michael<\/p>\n

I’ve been working as a journalist for over 15 years\u2014I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.<\/p>\n

\n
\n Read Michael’s full bio
\n <\/a>\n <\/p>\n

Read the latest from Michael Kan<\/p>\n","protected":false},"excerpt":{"rendered":"An Android-based spyware program is using the Starlink name to trick Iran-based web users into installing it, according…\n","protected":false},"author":2,"featured_media":27423,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[43],"tags":[174,74],"class_list":{"0":"post-27422","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-internet","8":"tag-internet","9":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts\/27422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/comments?post=27422"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts\/27422\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/media\/27423"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/media?parent=27422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/categories?post=27422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/tags?post=27422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}