Security researchers have discovered four new samples of the Android spyware DCHSpy used by the MuddyWater hacking group. MuddyWater has been previously linked to Iran’s Ministry of Intelligence and Security (MOIS) and has targeted both government and private organisations across various sectors in the Middle East, Asia, Africa, Europe, and North America.
The samples were collected by security researchers from cybersec firm Lookout over a week. For context, Lookout has only collected 11 DCHSpy samples since 2021. These samples were disguised as VPN and dating apps and started surfacing shortly after the Iran-Israel conflict started.
Among the new lures is Starlink, Elon Musk’s satellite internet service that started shortly after Iran disabled internet services in the country. Lookout reports that the use of Starlink in the sample name could indicate an attempt to lure Starlink users into downloading the spyware.
DCHSpy has been under development since samples started surfacing in 2021. However, the pace of development has significantly increased, and the spyware has acquired new abilities. At the time of writing, it can extract the following data from a compromised Android device:
- Accounts logged into the device
- Contacts
- SMS messages
- Files saved on the device’s local storage
- Location data
- Call logs
- Audio by taking over the device’s mic
- Photos by taking over the device’s camera
- WhatsApp data
The ability to extract WhatsApp data is the latest in DCHSpy’s arsenal. Since WhatsApp messages are end-to-end encrypted, they can’t be decrypted in transit, forcing hackers or intelligence agencies to take over a device to gain access. Given its popularity, WhatsApp is a prime target for state-sponsored and other hacking groups alike.
Distribution is being handled by a network of fake websites as well as phishing emails, messaging apps, or text messages. Researchers also found a Telegram channel being used to distribute the spyware.
In the News: Novel malware found using AI-generated commands
