Security

Houthis surveillanceware targets Yemenis, Middle East militaries

Yemen's Iran-backed Houthis are using surveillanceware at home and abroad to collect both tactical and strategic military intelligence.

GuardZoo victim IPs are scattered around Middle Eastern countries. [Lookout]
GuardZoo victim IPs are scattered around Middle Eastern countries. [Lookout]

By Al-Fassel |

Yemen's Iran-backed Houthis are spying within the country and abroad using Android surveillanceware, according to researchers.

Researchers from Lookout, a cybersecurity firm, in 2022 discovered a surveillanceware that is still being used to target military personnel from Middle Eastern countries, per a report published in July.

The surveillanceware, dubbed GuardZoo by Lookout, can collect data such as photos, documents, coordinate data files related to marked locations, the device's location, model, cellular service carrier, and Wi-Fi configuration.

The campaign started around October 2019 and was still active in 2024, according to Lookout, which attributed it to a Yemeni, Houthi-aligned threat actor.

This screenshot shows a post published by hacktivist group Anonymous OpIran on Telegram leaking a list of apps allegedly used by the Houthis to spy on Yemenis.
This screenshot shows a post published by hacktivist group Anonymous OpIran on Telegram leaking a list of apps allegedly used by the Houthis to spy on Yemenis.

Military intelligence

"GuardZoo's design is specifically focused on the theft of photos, documents, and mapping files from victim devices, and it has been used to successfully steal sensitive military documents in the past," Lookout researcher Alemdar Islamoglu told The Hacker News.

The firm found more than 450 IP addresses that belonged to victims located in Yemen, Saudi Arabia, Egypt, Oman, the United Arab Emirates, Qatar and Turkey. The vast majority of victim devices were found to be in Yemen.

"We observed GuardZoo being distributed in two different ways," Islamoglu said. "First, the threat actor directly sends the APK file to the target through private chat applications (Whatsapp, Whatsapp Business) by using the file sending capability of the chat applications."

"In the second case, the threat actor uploads the file to an internet accessible server and then shares the link with the target hoping the target will download and install the APK file."

The campaign used military lures such as "Constitution Of The Armed Forces," "Limited - Commander And Staff" and "Restructuring Of The New Armed Forces," the report noted.

The mapping files indicate that "the threat actors may be interested in tracking military troop movements which are likely being recorded in navigation applications," Islamoglu said.

"This suggests that GuardZoo is being used to collect both tactical and strategic military intelligence which may be used to benefit other operations that the Houthis are conducting."

Domestic surveillance

The Houthis have adopted cyber capabilities into their arsenal in recent years to spy abroad and at home.

Insikt Group, another cybersecurity firm, in a report published in July identified OilAlpha, a likely pro-Houthi group, as being responsible for targeting humanitarian and human rights organizations operating in Yemen.

The group used malicious Android applications to steal credentials and gather intelligence, potentially to control aid distribution, according to Insikt Group.

Meanwhile, the Anonymous hacktivist group on the Anonymous OpIran telegram channel on October 2 posted a list of applications allegedly used by the Houthis' intelligence agencies and Iran's Islamic Revolutionary Guard Corps (IRGC) to spy on the Yemeni people.

The group said it would release a post detailing a list of more than 15,000 people who were identified through the applications.

Do you like this article?

Captcha *