Military personnel across the Middle East are being targeted by a surveillance operation deploying an Android data-gathering tool named GuardZoo.
This campaign, initiated around October 2019, is believed to be orchestrated by a Houthi-aligned group. This conclusion is based on various factors, including the nature of the application lures, command-and-control (C2) server logs, targeting patterns, and the geographic location of the attack infrastructure, as reported by Lookout.
Over 450 individuals have been affected, primarily in Egypt, Oman, Qatar, Saudi Arabia, Turkey, the U.A.E., and Yemen, with most infections occurring in Yemen.
GuardZoo is a modified version of the Dendroid RAT (Remote Access Trojan). The malware, once sold for $300, can perform numerous functions, such as calling phone numbers, deleting call logs, opening web pages, recording audio and calls, accessing SMS messages, taking and uploading photos and videos, and initiating HTTP flood attacks.
Significant changes have been made to the original code to enhance functionality and remove unnecessary features. Unlike Dendroid RAT, GuardZoo uses a new ASP.NET-based C2 backend instead of the leaked PHP web panel.
The malware is distributed via WhatsApp and WhatsApp Business, as well as through direct browser downloads. The malicious Android apps are designed with military and religious themes to lure users. The threat actors either send the APK file directly through private chats or upload it to an internet server and share the download link with the target.
GuardZoo supports over 60 commands, enabling it to fetch additional payloads, download and upload files (including PDFs, DOCs, XLSX, and PPTs), change C2 addresses, and manage its presence on the compromised device. It also uploads specific mapping and GPS-related files (KMZ, WPT, RTE, and TRK) from the victim’s device, suggesting a focus on tracking military movements.
Since October 2019, GuardZoo has used dynamic DNS domains for C2 operations, with domains resolving to IP addresses registered to YemenNet. This regular change of IP addresses aids in evading detection.
The Houthis, controlling Sanaa and northwest Yemen, have incorporated cyber capabilities in their strategies. In May 2023, researcher exposed a mobile espionage campaign linked to the Houthis, using WhatsApp to deploy Android malware known as SpyNote (aka SpyMax).
GuardZoo’s design is particularly aimed at stealing photos, documents, and mapping files, previously used to steal sensitive military documents. The interest in mapping files, unusual for similar spyware, indicates a focus on tracking military troop movements, potentially aiding other Houthi operations by providing tactical and strategic military intelligence.
To prevent falling victim to the GuardZoo malware, organizations should implement robust cybersecurity measures. This includes using advanced mobile threat defense solutions, regularly updating software, and educating personnel on recognizing phishing attempts and suspicious downloads. Employing strong endpoint protection and ensuring all mobile devices are secured with encryption can also mitigate risks.