July 10, 2024 at 01:16AM
A threat actor linked to Houthi rebels in Yemen has been using a custom Android surveillanceware called “GuardZoo” to spy on military targets in the Middle East for five years. The malware is distributed through fake apps on WhatsApp and WhatsApp Business and has targeted military-related organizations. The majority of affected IP addresses were in Yemen.
Based on the meeting notes, here are the clear takeaways:
1. A threat actor, possibly aligned with Houthi rebels in Yemen, has been using a custom Android surveillanceware called “GuardZoo” to spy on military targets in the Middle East for the past five years.
2. The GuardZoo campaign begins with the distribution of malicious links on WhatsApp and WhatsApp Business, leading to fake apps outside of the Google Play store.
3. The malware, GuardZoo, is a leaked “Dendroid RAT” retrofitted with commands specific to spying on military enemies and has been in operation since October 2019.
4. GuardZoo’s initial actions upon infection involve disabling local logging and exfiltrating specific file types related to GPS and mapping apps.
5. The malware can also facilitate the download of further malware, read information about the victim’s machine, and more.
6. The majority of the 450 affected IP addresses were concentrated in Yemen but also spanned other countries in the region.
7. The Houthi connection is strengthened by the location of the malware’s command-and-control (C2) server, which uses dynamic IP addresses from a telco provider operating in a Houthi-controlled area.
8. To defend against this campaign, Android users are advised to avoid apps outside of Google Play, keep their apps up to date, and be cautious of excessive permissions.
These clear takeaways summarize the key points from the meeting notes.