A years-long espionage campaign targeting military interests in the Middle East has been uncovered, with a threat actor suspected of being aligned with Houthi rebels in Yemen at the helm. This shadowy figure has been using a custom Android surveillanceware known as “GuardZoo” to infiltrate and steal sensitive intelligence from military entities across the region.
The GuardZoo campaign, as it has been dubbed, employs a sneaky tactic to lure victims in: distributing malicious links via popular messaging platform WhatsApp and its business counterpart. These links lead unsuspecting users to fake apps hosted outside the Google Play store, with themes ranging from generic to military-specific. Once these apps are downloaded, GuardZoo is unleashed on the victim’s device.
GuardZoo, essentially a modified version of the notorious “Dendroid RAT,” is equipped with a range of commands tailored to gather intelligence sought by its operators. This customization has enabled the threat actor to operate under the radar for several years, avoiding detection until now. Upon infection, GuardZoo immediately goes to work by disabling local logging and extracting files related to GPS and mapping applications from the victim’s device.
The malware is also capable of downloading additional malicious software, gathering information about the victim’s device, and much more. The sophisticated nature of GuardZoo’s capabilities has raised concerns about its potential impact on national security and military operations in the region.
According to Christoph Hebeisen, Lookout director of security intelligence research, GuardZoo’s emphasis on mapping-related file extensions strongly suggests military targeting. The majority of impacted IP addresses were traced back to Yemen, with presence in other countries like Saudi Arabia, Egypt, UAE, Turkey, Qatar, and Oman. The connection to Houthi rebels was further solidified by the location of the malware’s command-and-control server, which was linked to a telco provider operating in Houthi-controlled territory.
In response to this cyber espionage campaign, Lookout has issued a statement urging Android users to exercise caution when downloading apps from outside trusted sources like Google Play. Keeping apps updated and monitoring permissions granted to applications are critical steps in safeguarding against threats like GuardZoo.
As the GuardZoo campaign continues to unfold, authorities and security experts are working diligently to identify and neutralize the threat posed by this sophisticated surveillanceware. The implications of this espionage operation extend far beyond the digital realm, highlighting the ongoing challenges of cybersecurity in an increasingly connected world.