DCHSpy Android Malware Linked to Iran Secretly Spies on Thousands in New Cyber Campaign

Newly discovered DCHSpy malware exploits system accessibility to spy on Android users, with links to Iran’s cyber apparatus raising regional and global surveillance concerns.

Iran-Linked DCHSpy Android Malware Exposes Covert Surveillance Operation

Experts warn of rising spyware threats as new Iranian-linked malware abuses accessibility features to monitor Android users undetected.

MAG212NEWS | July 22, 2025

A newly uncovered cyber espionage campaign using stealth Android spyware known as DCHSpy has been attributed to Iran-linked threat actors, marking a significant escalation in mobile surveillance tactics across the Middle East. According to a detailed report by cybersecurity researchers at Check Point, the sophisticated malware operates silently on infected Android devices, enabling adversaries to extract sensitive information with alarming precision and persistence.

“DCHSpy exemplifies the next generation of mobile surveillance tools—technically advanced, highly evasive, and politically charged,” said Yoav Finkel, a mobile threat analyst at Check Point.

Infiltration Through Accessibility Services

The malware first came to light in July 2025, targeting Android devices through manipulated apps that require extensive permissions—specifically abusing Android Accessibility Services. This feature, originally designed to support users with disabilities, has become a popular attack vector for spyware developers seeking to gain full control over device interactions.

Once granted access, DCHSpy enables a range of covert operations:

• . Keylogging: Capturing keyboard input, including passwords and messages
• . Screen recording and screenshots
• . Microphone activation for ambient audio capture
• . Location tracking
• . File exfiltration including photos, documents, and contact lists

The malware operates persistently in the background, evading user detection and traditional security tools through advanced obfuscation techniques.

Attribution to Iran’s Domestic Cyber Capabilities

Cyber threat analysts have linked DCHSpy to an Iranian state-sponsored group known for targeting regional dissidents, government officials, and political activists. While researchers stopped short of naming a specific Advanced Persistent Threat (APT), indicators and infrastructure overlap with prior campaigns attributed to APT-C-50, also known as Domestic Kitten—a group widely believed to be operated under Iran’s Ministry of Intelligence.

“This is more than surveillance. It’s an authoritarian tool for digital repression,” said Sara Khatami, a Middle East cybersecurity policy fellow at the Atlantic Council.

Global Implications: Surveillance in the Age of Mobile Dependence

The campaign underscores a growing global risk: the weaponization of mobile accessibility features by nation-state actors. As smartphones become central to both personal and professional life, the impact of such espionage campaigns can be devastating—compromising not just individual privacy, but national security and diplomatic integrity.

Victims are believed to include human rights activists, exiled dissidents, and journalists—a pattern consistent with previous Iranian surveillance operations.

Technical Recommendations and Mitigation

Experts urge users and organizations to take proactive steps to defend against spyware like DCHSpy:

• . Limit app permissions—especially for Accessibility Services
• . Avoid sideloading APKs from untrusted sources
• . Enable Google Play Protect and use verified security apps
• . Keep Android OS and apps updated
• . Monitor device behavior for unusual activity or battery drain

Mobile security teams are also being advised to integrate mobile threat defense (MTD) solutions that can detect behavioral anomalies and enforce zero-trust policies for mobile devices.