An American company reveals that the Houthis are using an Android spy program to target members of government forces

Lookout, a data-driven cloud security company, today announced the discovery of Android-based surveillance software that is actively targeting military personnel in Middle Eastern countries.

This campaign, which the company called “Gard Zoo,” exploits malicious applications of a military and religious nature to lure victims through social engineering on mobile devices.

While Lookout is still actively analyzing the data, it has so far identified more than 450 IP addresses belonging to victims primarily located in Yemen, Saudi Arabia, Egypt, Oman, the United Arab Emirates, Qatar, and Turkey.

Based on application lures, targeting, and server locations controlled by threat actors, Lookout attributes GuardZoo to a Yemeni threat aligned with the Houthis. In January 2024, the United States government reclassified the Houthi militia as a Specially Designated Global Terrorist Group.

The most prominent threats discovered

Distribution appears to be occurring via social engineering in WhatsApp and mobile browsers. The 'Guard Zoo' campaign collects data such as photos, documents, location data, saved GPS tracks , device model number, mobile carrier, and Wi-Fi configuration from infected devices.

It appears that most of the victims are in Yemen. Based on the results, researchers believe that many of them are members of Yemeni government forces.

'Guard Zoo' relies on a spyware called Dendroid RAT , which Lookout protects its customers from. As is often the case, the developers behind the 'Gardzo' campaign took an existing malware family and created a new version of it with updated capabilities.

In this case, one interesting capability is that GuardZoo can act as a conduit between the threat actor and the victim's device allowing the threat actor to download additional malware onto the infected device. This could lead to the introduction of additional hacking capabilities that would benefit the threat actor.

Researchers also noted that recent samples of the campaign impersonate religious applications, e-books, and military books such as “Constitution of the Armed Forces,” “Limited - Commander and Staff,” and “Restructuring the New Armed Forces.”

Upon monitoring the log entries, the targeting of military personnel was enhanced by the discovery of leaked documents belonging to the military leadership. For example, the title of one document was translated to “Top Secret, Republic of Yemen, Ministry of Defense, Chief of the General Staff, War Operations Department, Insurance Department.”

“The discovery of the campaign reminds us of the growing threat posed by advanced surveillance software,” said Aaron Cockrell, Executive Vice President of Products and Security at Lookout.

These spyware packages can be used to collect a wide range of data from infected devices, which could put military personnel and operations at risk in the event of a 'Guard Zoo' campaign.

He added: "We urge security professionals to be aware of this threat and take the necessary steps to protect their users, their personal data, and their data at work."