Spyware attributed to pro-Houthi hackers used against militaries across Middle East

Updated with details about new research on the pro-Houthi OilAlpha group.

Surveillance technology deployed by allies of a Yemeni Shia Islamist organization has been used to target militaries across the Middle East since 2019, new research shows.

A Houthi-aligned threat actor used malware referred to as GuardZoo to collect photos, documents and other files stored on infected devices, researchers at mobile security firm Lookout said in a report Tuesday.

According to unsecured command and control server logs, most of the roughly 450 victims were located in Yemen, Saudi Arabia, Egypt and Oman with a smaller number found in the United Arab Emirates, Turkey and Qatar.

The Houthis took control of Yemen’s capital city in 2014, leading to a civil war and famine. Human rights groups have reported that beginning in June 2019 a controversial Saudi-led intervention there sparked a wave of arbitrary arrests, torture and enforced disappearances.

The attribution to the Houthi-aligned threat actor was made via “application lures, exfil data, targeting and the C2 infrastructure location,” according to the report.

The surveillance tool is named after a piece of source code that persistently clings to an infected device, Lookout said. In addition to stealing photos and documents, it also can “coordinate data files related to marked locations, routes and tracks,” the report said, and is able to identify an infected device’s location, model, cellular service carrier and Wi-Fi configuration.

GuardZoo also can download and install “arbitrary applications on the device – indicating it can

introduce new invasive capabilities as long as the device is infected,” the report said.

The spyware has mainly been found in military-themed applications, Lookout said, and distribution and infections have largely originated in WhatsApp, WhatsApp Business and through browser downloads. In a minority of other cases, victims were lured by content containing a religious-themed prayer app or an e-book theme.

GuardZoo was first discovered by researchers in October 2022. Lookout says the tool is based on a “commodity spyware” named Dendroid RAT, which has been in use for at least a decade.

Upon infecting a device, GuardZoo connects to the command and control and defaults to sending four commands to every new victim, including to deactivate local logging and upload metadata for all files.

“These extensions are related to maps, GPS and markings showing waypoints, routes and tracks,” Lookout’s report said.

Although lures for GuardZoo were originally general, they’ve evolved to include military themes with titles like “Constitution Of The Armed Forces” and “Restructuring Of The New Armed Forces." Emblems for the militaries of various Middle Eastern countries, including Yemen and Saudi Arabia, appeared on military apps used as a lure.

App lures also used military emblems from different countries such as the Yemen Armed Forces and Command and Staff College of the Saudi Armed Forces. 

On Tuesday, Recorded Future’s Insikt Group's released research documenting that another likely pro-Houthi group, OilAlpha, is targeting humanitarian and human rights organizations in Yemen with malicious Android applications. 

The group then steals credentials and collects intelligence, likely so that it can dictate the distribution of aid. 

CARE International and the Norwegian Refugee Council are among the groups that have been targeted in the exploit, which Insikt Group first detected last May.