New DCHSpy Android Malware Targets WhatsApp, Call Logs, Audio, and Photos

Security researchers at Lookout have identified four novel samples of DCHSpy, an advanced Android surveillanceware attributed to the Iranian threat actor group MuddyWater, believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

These samples emerged approximately one week following the onset of the Israel-Iran conflict, highlighting the rapid adaptation of malware tooling in response to regional hostilities.

DCHSpy, first protected against by Lookout customers since 2024, functions as a modular implant designed for comprehensive data exfiltration from infected devices.

MuddyWater’s Evolving Surveillanceware

It systematically harvests sensitive information including logged-in accounts, contact lists, SMS messages, stored files, geolocation data, call logs, ambient audio recordings via microphone hijacking, and photographic captures through camera control.

Notably, the malware extends its reach to WhatsApp data, enabling attackers to intercept communications from this popular messaging platform.

MuddyWater, known for targeting entities in telecommunications, defense, oil and natural gas, and government ...