Military personnel from Middle East countries are the target of an ongoing surveillanceware operation that delivers an Android data-gathering tool called GuardZoo.
The campaign, believed to have commenced as early as October 2019, has been attributed to a Houthi-aligned threat actor based on the application lures, command-and-control (C2) server logs, targeting footprint, and the attack infrastructure location, according to Lookout.
More than 450 victims have been impacted by the malicious activity, with targets located in Egypt, Oman, Qatar, Saudi Arabia, Turkey, the U.A.E., and Yemen. Telemetry data indicates that most of the infections have been recorded in Yemen.
GuardZoo is a modified version of an Android remote access trojan (RAT) named Dendroid RAT that was first discovered by Broadcom-owned Symantec in March 2014. The entire source code associated with the crimeware solution was leaked later that August.
Originally marketed as a commodity malware for a one-off price of $300, it comes with capabilities to call a phone number, delete call logs, open web pages, record audio and calls, access SMS messages, take and upload photos and videos, and even initiate an HTTP flood attack.
"However, many changes were made to the code base in order to add new functionalities and remove unused functions," Lookout researchers Alemdar Islamoglu and Kyle Schmittle said in a report shared with The Hacker News. "GuardZoo doesn't use the leaked PHP web panel from Dendroid RAT for Command and Control (C2) but instead uses a new C2 backend created with ASP.NET."
Attack chains distributing GuardZoo leverage WhatsApp and WhatsApp Business as distribution vectors, with the initial infections also taking place via direct browser downloads. The booby-trapped Android apps bear military and religious themes to entice users into downloading them.
"We observed GuardZoo being distributed in two different ways," Islamoglu told The Hacker News. "First, the threat actor directly sends the APK file to the target through private chat applications (Whatsapp, Whatsapp Business) by using the file sending capability of the chat applications."
"In the second case, the threat actor uploads the file to an internet accessible server and then shares the link with the target hoping the target will download and install the APK file."
The updated version of the malware supports more than 60 commands that allow it to fetch additional payloads, download files and APKs, upload files (PDF, DOC, DOCX, XLX, XLSX, and PPT), and images, change C2 address, and terminate, update, or delete itself from the compromised device.
The Android malware also possesses functionality to upload all files with extensions KMZ, WPT, RTE, and TRK, each of which correspond to mapping and CompeGPS data showing waypoints, routes and tracks.
"GuardZoo has been using the same dynamic DNS domains for C2 operations since October 2019," the researchers said. "These domains resolve to IP addresses registered to YemenNet and they change regularly."
The Houthis – a militant group that controls Sanaa and the north-west of Yemen – have adopted cyber capabilities into their arsenal in recent years. In May 2023, Recorded Future revealed a mobile espionage campaign undertaken by a hacking group with ties to the movement that used WhatsApp to deploy an Android malware known as SpyNote (aka SpyMax).
"GuardZoo's design is specifically focused on the theft of photos, documents, and mapping files from victim devices, and it has been used to successfully steal sensitive military documents in the past," Islamoglu said.
"The mapping files in particular are not commonly collected in similar spyware used by other threat actors, and indicates that the threat actors may be interested in tracking military troop movements which are likely being recorded in navigation applications. This suggests that GuardZoo is being used to collect both tactical and strategic military intelligence which may be used to benefit other operations that the Houthis are conducting."
Update
A Google spokesperson shared the following statement with The Hacker News: "Google Play Protect warns users, blocks and automatically uninstalls apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play."
(The story was updated after publication to include additional comments from Lookout and Google.)