In a troubling development in mobile cybersecurity, researchers from Lookout uncovered a campaign of fake VPN apps that act not as protectors of privacy but as spyware. The campaign — attributed to the Iranian-linked hacking group MuddyWater (also known as “DCHSpy”) — impersonates legitimate VPN services on Android devices and then exfiltrates highly sensitive user data including contacts, SMS, files, location and even audio recordings. What appears to be a tool for safeguarding privacy becomes a covert surveillance vehicle.
The mechanics of the spying
The campaign’s modus operandi is disturbingly simple yet effective. Lookout’s analysis found that the malicious spyware is embedded in apps masquerading as VPN clients (for example “EarthVPN”, “ComodoVPN” and others) and is distributed via APK downloads or links through Telegram channels. These apps exploit the high demand for VPNs — especially in regions with internet restrictions like Iran — to attract users seeking bypass or anonymity.
Once installed, the malicious code triggers permissions to access SMS, contacts, call logs, device files, GPS location, and even activates microphone or camera in some variants. The spyware is tracked under the name “DCHSpy” and is believed to be operated by MuddyWater, a group thought to have ties with Iran’s intelligence agencies.
According to Lookout and other sources:
The campaign began in earnest one week after the Israel-Iran conflict began, a period when VPN usage in Iran surged.
The apps in question show elevated permissions, masquerade under innocuous names, and operate under the guise of “free VPN” tools.
The stealthy nature of the apps means many users remain unaware of the compromise until damage is done.
Why this matters for Android users and VPN users
Trust in VPNs is exploited
Users turn to VPNs for privacy, anonymity and security. The keyword here is VPN. When a fake VPN app instead hijacks that trust and becomes surveillance software, the consequences are grave. Data once considered safe behind encrypted tunnels now falls into adversarial hands.
Targeting high-risk users
The campaign focusses on users in restrictive internet jurisdictions, activists, journalists, and anyone using VPNs to bypass censorship or surveillance. Such users are already under threat; installing a malicious “VPN” compounds that risk.
Data stolen = asset loss
Contacts, messages, files, audio recordings, photos, location—all these represent high-value intelligence. For victims with sensitive roles, this equates to surveillance, blackmail, or worse. Security expert Azam Jangrevi remarked:
“What’s especially concerning is its use of trusted platforms … tools meant to protect privacy.”
App store and permission issues
The campaign shows how malicious apps can slip through app stores or be distributed outside them, and how elevated permissions (tabs, storage, mic, camera) can be misused. Android predators use the fact that users often grant broad permissions without full understanding.
Comparisons & context
This isn’t the first time state-linked groups have used fake VPN apps. Previous campaigns globally have seen malicious VPN clients installed with thousands of downloads and used for corporate espionage. A 2023 Bitdefender blog described how Iranian spyware was delivered through VPN installers.
In the broader VPN market, trust and transparency are critical. For example, a separate study found over 20 VPN apps with 700 million collective installs had security vulnerabilities and undisclosed links, highlighting how the landscape is fraught with risk.
The difference here is state-linked espionage, not just shady monetisation models, meaning higher stakes and targeted attacks rather than generic mass market threats.
What users should do — practical guidance
Only download VPN apps from official stores (Google Play) and check developer credibility, reviews, and update history.
Scrutinise permissions: If a free VPN asks for storage, mic, camera, SMS, contacts, location—treat with suspicion.
Use security software on Android devices that can detect spyware and unusual exfiltration behaviour.
Consider hardware-based protections if you are a high-risk user (activist, journalist, etc.). The security researcher advice:
“Stick to verified app stores, scrutinize app permissions, and use mobile security solutions that can detect threats like DCHSpy.”
Use trusted VPN providers with transparent no-log policies and independent audits. Free VPNs may carry increased risk of monetisation or hidden costs (including surveillance).
learn more than Review: Privacy-first VPN from Switzerland excels in a saturated market
Conclusion
The campaign of recent fake VPN apps linked to Iran’s MuddyWater hacking group exposes a chilling truth: privacy tools can be weaponised. For Android users seeking VPN-enabled anonymity, the trust placed in such tools is under threat. The term VPN should signal privacy and security—but not blindly convenience. This incident serves as a stark warning: always verify what you install, what permissions you grant, and who stands behind your VPN provider. In an age where mobile surveillance is increasingly sophisticated, vigilance and informed choice are your first line of defence.
