Houthi Rebels Are Operating Their Own GuardZoo Spyware

Interview When it comes to surveillance malware, sophisticated spyware with complex capabilities tends to hog the limelight – for example NSO Group’s Pegasus, which is sold to established governments. But it’s actually less polished kit that you’ve never heard of, like GuardZoo – developed and used by Houthi rebels in Yemen – that dominates the space.

This is according to Lookout principal researcher Justin Albrecht, who spoke to us about the analyst’s report, out today, revealing the existence of GuardZoo. The report says that the Dendroid RAT-based Android surveillanceware, first spotted in 2022, is still active. It has actually been on the scene since at least 2019, Lookout says. The infoseccers believe GuardZoo is linked to Houthi rebels – based on its targeting of Yemeni military members, as well as logs from GuardZoo’s C2 server, its lures, and other data points. 

GuardZoo is distributed via WhatsApp or direct browser downloads, and appears to rely on social engineering tricks – for example it impersonates legitimate apps and disseminates military-themed content – to con users into installing it. Along with seeing it on the devices of victims in Yemen, Lookout says it has also viewed samples of GuardZoo on hardware belonging to military staff in Saudi Arabia, Egypt, and Oman. 

GuardZoo’s developers gave it its own C2 backend instead of relying on the existing code harvested from Dendroid RAT, and the malware is also able to download and use .dex files to update itself stealthily. 

Many of the installations detected by Lookout spoofed location tracking apps that allow the use of GPS without a cellular signal, and much of the data pulled by a fresh GuardZoo installation involves extensions like KMZ, WPT and TRK – all of which involve geolocation. This suggests its controllers are using it to gather intelligence and track troop movements – further cementing the link to Houthi rebels, Albrecht claims. 

The malware also has the ability to steal photos, documents, device and configuration data. 

How dangerous can a modified, decade-old RAT really be?

If you peruse Lookout’s report, you might be wondering how dangerous such a derivative and narrowly targeted malware can be to the world at large, especially with government-sponsored nasties like Pegasus available to any state with enough cash to afford the licenses. 

“This isn’t the most sophisticated malware we’ve seen,” Albrecht tells The Register. “It’s nowhere near as advanced as something like Pegasus, but it does have similar capabilities.” 

The big difference between spyware like Pegasus and GuardZoo comes down to how it’s being distributed, Albrecht says. Pegasus, a kernel-level implant that’s incredibly hard to detect and mitigate, relies on exploit changes and vulnerabilities invisible to victims to worm its way onto target devices in a so-called zero-click attack. GuardZoo, and other surveillance malware like it, lacks the ability to capitalize on such obscure vulnerabilities, instead relying on tricking users into installing it with social engineering tactics. 

GuardZoo’s operators don’t seem ambitious, either – the earliest samples detected are five years old, and GuardZoo is still targeting the same people. There have been only a couple of detections outside the Middle East, and those are likely to be the work of other security researchers, Albrecht opines. 

But while GuardZoo and the Houthi rebels allegedly behind it might not be a threat to an enterprise IT company in the American Midwest, there are plenty of other surveillance malware operators around the world using similar malicious software, and their numbers are growing. 

“We’ve seen an increase in government-backed spyware development and surveillanceware,” Albrecht observes, to the point where most advanced persistent threat (APT) groups tied to foreign governments have malware similar to GuardZoo. But few use tools as sophisticated as Pegasus.  

“What we’re typically seeing with APTs tied to countries like Russia, China, North Korea, or Iran is that they have mobile, app-based tools,” Albrecht tells us, “but most are delivered by social engineering.” 

So it’s not the threat from GuardZoo you need to be aware of, but all the similar surveillance malware that could be deployed by state-backed cyber baddies with greater ambition, he says. 

GuardZoo and other app-based surveillance malware is “rampant, and very effective,” Albrecht warns. “It collects the same data as Pegasus … [while] offering a low-budget option.” So get those patches installed, phish your users for fun again, and don’t ignore any threat – even one that hasn’t shown any signs of targeting you or your systems. Yet. ®