Yemen Monitor/Sana’a/Exclusive:
A new study has revealed that the Houthi armed group has been using espionage technology to target militaries across the Middle East since 2019.
An actor aligned with the Houthis used malware known as “GuardZoo” to collect photos, documents, and other files stored on infected devices, according to researchers at mobile security firm “Lookout” in a report released Tuesday that was obtained by Yemen Monitor.
According to logs from unsecured command and control servers, most of the approximately 450 victims were located in Yemen, Saudi Arabia, Egypt, and Oman, with smaller numbers in the UAE, Turkey, and Qatar.
The report reveals that the Houthis have been spying on 88 military commanders in the Yemeni government, 14 in Saudi Arabia, 5 in Egypt, 2 in the UAE, and 1 each in Qatar, Oman, and Turkey.
The Houthis seized the Yemeni capital in 2014, sparking a civil war and famine. Human rights groups have reported that since June 2019, the Houthis have carried out a wave of arbitrary detentions, torture, and enforced disappearances.
The surveillance tool was named as same as a piece of source code that persistently clings to a target device, “Lookout” said. In addition to stealing photos and documents, it can also “format data files related to specific locations, routes, and paths,” the report said, and is capable of identifying the infected device’s location, model, cellular service provider, and Wi-Fi configuration.
“GuardZoo” can also download and install “arbitrary applications on the device – suggesting that new invasive capabilities can be introduced as long as the device is infected.”
Lookout said the spyware was primarily found in military-themed apps and that distribution and infections largely originated on WhatsApp and WhatsApp Business, and through browser downloads. In a smaller number of other cases, victims were lured with content that included a religiously themed prayer app or an e-book topic.
GuardZoo was first discovered by researchers in October 2022. The Lookout report says the tool is based on a “commodity spyware” called (Dendroid RAT), which has been in use for at least a decade.
When a device is infected, GuardZoo connects to command and control and by default sends four commands to each new victim, including disabling local logging and uploading metadata for all files.
While GuardZoo’s lures were originally general, they evolved to include military topics with titles such as “Armed Forces Constitution” and “New Armed Forces Restructuring.” Logos of militaries from various Middle Eastern countries, including Yemen and Saudi Arabia, appeared on the military apps used as lures.
On Tuesday, the “Insikt group” affiliated with “Recorded Future” released research documenting that another group possibly loyal to the Houthis, called (OilAlpha), is targeting humanitarian and human rights organizations in Yemen with malicious Android apps.
The Houthi hackers then steal credentials and collect intelligence, likely so that they can dictate aid distribution.
CARE International and the Norwegian Refugee Council are among the groups that have been targeted in the exploitation, which Insikt Group first discovered last May.
