GuardZoo spyware used by Houthis to target military personnel
Lookout discovered GuardZoo, Android spyware targeting Middle Eastern military personnel. This campaign leverages malicious apps with military and religious themes to lure victims via social engineering on mobile devices.
While researchers are still actively analyzing data, thus far, they have seen more than 450 IP addresses belonging to victims primarily located in Yemen, Saudi Arabia, Egypt, Oman, the United Arab Emirates (UAE), Qatar, and Turkey. Based on application lures, targeting, and threat actor-controlled server locations, Lookout attributes GuardZoo to a Yemeni, Houthi-aligned threat actor. In January 2024, the U.S. government re-designated the Houthi militia as a Specially Designated Global Terrorist group.
GuardZoo spyware
GuardZoo is based on a commodity spyware named Dendroid RAT. As is frequently the case, the developers behind GuardZoo took an existing malware family and created a new variation with updated capabilities. In this case, one interesting capability is that GuardZoo can act as a conduit between the threat actor and the victim’s device, allowing the threat actor to download additional malware to the infected device. This could introduce additional invasive capabilities that would benefit the threat actor.
Researchers also noticed that recent GuardZoo samples have been used as religious, e-book, and military-themed apps such as “Constitution of the Armed Forces,” “Limited – Commander and Staff” and “Restructuring of the New Armed Forces.” When observing log entries, the targeting of military personnel was solidified with the discovery of exfiltrated documents belonging to military leadership. For example, one document’s title translated to “Very Confidential, Republic of Yemen, Ministry of Defense, Chief of the General Staff, War Operations Department, Insurance Division.”
“The discovery of GuardZoo is a reminder of the growing threat posed by advanced surveillanceware,” said Aaron Cockerill, Executive VP of Product & Security, Lookout. “These spyware packages can be used to collect a wide range of data from infected devices, which in the case of GuardZoo, could put military personnel and operations at risk. We urge security professionals to be aware of this threat and to take steps to protect their users, and work and personal data.”
How to protect yourself from GuardZoo
To protect both business and personal Android devices from GuardZoo and other surveillanceware, researchers recommend the following basic steps that anyone can take.
- Keep your operating system and apps updated, as most updates are related to security patches.
- Only install apps from Google Play, not third-party sources. If you happen to receive a message asking you to install an app from a website, immediately block the number and report the incident to your IT or security team.
- Be aware of the permissions that mobile apps ask for. Overly invasive permissions, even from legitimate apps, could create data risk for your organization.
- Implement a mobile security solution to detect and protect against malware and keep your organization safe.