A group aligned with the Houthi movement has been using a malicious Android surveillanceware known as GuardZoo since October 2019 to target military personnel in the Middle East. The group employs social engineering tactics, using military-themed content to deceive victims into downloading the malware.
GuardZoo is a Remote Access Trojan (RAT) that allows attackers to gain remote control over infected devices, enabling data exfiltration and potentially installing additional malware. The campaign is still active and has affected users in countries such as Yemen, Saudi Arabia, Egypt, and Oman. Despite this, Google has confirmed that no apps infected with GuardZoo are currently available on Google Play.
Derived from the leaked Dendroid RAT, GuardZoo has a custom Command and Control (C2) backend built with ASP.NET, a departure from the original PHP web panel. The malware communicates with its C2 server via primary address https://wwwgoogl.zapto[.]org and a backup at https://somrasdc.ddns[.]net. GuardZoo offers over 60 commands, most of which are unique to the malware and presumably added by the attacker for malicious activities.
One distinctive feature of GuardZoo is its ability to download and load external DEX files from a C2 server without requiring a full APK update. This file update process involves downloading the DEX file from the C2 server and placing it in the app’s data directory’s “dex” folder before initiating a restart to load the new file. While this method is outdated, the capability to load DEX files dynamically remains, potentially allowing for future use.
The Yemeni malware GuardZoo utilizes dynamic DNS domains registered to YemenNet for C2 communication, using self-signed certificates and an ASP.NET backend on IIS 10. Upon infecting a device, GuardZoo initiates contact with the C2 server and carries out specific commands such as uploading geolocation files, setting retry windows, disabling local logging, and uploading file metadata. Communication occurs over HTTPS, although the request body is not encrypted.
Since at least December 2022, GuardZoo has been targeting devices in the Middle East by enticing users with themes like military, religious, and ebooks to trick them into installing the malware. Initial infection vectors include WhatsApp, WhatsApp Business, and browser downloads. Analysis of unsecured C2 server logs indicates victims are mainly located in Yemen, Saudi Arabia, Egypt, with fewer instances in Oman, the United Arab Emirates, Turkey, and Qatar, along with details like IP addresses and mobile carrier information of victim devices.
Lookout’s examination of the C2 server unveiled its purchase on March 18th, 2019, from a distributor in the United Arab Emirates, likely serving Yemen. While the codebase was primarily in English, the user interface and messages indicated the use of Modern Standard Arabic. The project was named “Project 500” locally, with log entries suggesting the targets were Pro-Hadi forces, supporting Yemen’s internationally recognized government, as indicated by a document referencing the Yemeni Ministry of Defense.
In conclusion, GuardZoo represents a significant threat to military personnel in the Middle East, exploiting social engineering tactics to deceive victims and establish remote control over infected devices. The ongoing campaign underscores the importance of cybersecurity vigilance and protection against advanced malware threats targeting sensitive entities in the region.