A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to target military personnel in the Middle East by leveraging social engineering tactics and using military-themed lures to trick victims into downloading the malware.
Based on a preexisting RAT (Remote Access Trojan) called Dendroid, GuardZoo grants attackers remote control over the infected device, allowing for data exfiltration and potentially additional malware installations.
The campaign remains active and has targeted users in Yemen, Saudi Arabia, Egypt, and Oman, as Google has confirmed that no GuardZoo-infected apps are currently available on Google Play.
.png
)
GuardZoo, a derivative of the leaked Dendroid RAT, utilizes a custom C2 backend built with ASP.NET instead of the original’s PHP web panel.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
It communicates with its C2 server through its primary address, https://wwwgoogl.zapto[.]org and a backup at https://somrasdc.ddns[.]net. GuardZoo boasts over 60 commands, most exclusive to it and presumably added by the attacker, for various malicious tasks.
.webp)
An app can download and load external DEX files from a C2 server instead of requiring a full APK update, which is downloaded from “<C2 Address>/updateApp?dexfile=classes.dex” and placed in the app’s data directory’s “dex” folder.
The app then restarts to load the new DEX file. While this secondary payload delivery method is deprecated, the code for DEX loading is still present, potentially allowing the app to revert to this method in the future.
.webp)
GuardZoo, a Yemeni malware, utilizes dynamic DNS domains registered to YemenNet for C2 communication by employing self-signed certificates and using the ASP.NET backend on IIS 10.
Upon infecting a device, GuardZoo establishes connection and retrieves initial commands: uploading specific geolocation files (KMZ, WPT, RTE, TRK) created after a set date, setting a 15-minute retry window on errors, disabling local logging, and uploading file metadata.
Communication is over HTTPS, but the request body is unencrypted.
.webp)
GuardZoo, a malware family, has been targeting devices in the Middle East since at least December 2022 by luring users with various themes, including military, religious, and ebooks, to trick users into installing it.
The initial infection vectors are WhatsApp, WhatsApp Business, and browser downloads.
Unsecured C2 server logs reveal that victims are mostly located in Yemen, Saudi Arabia, and Egypt, with a smaller number in Oman, the United Arab Emirates, Turkey, and Qatar.
The logs also contain IP addresses and mobile carrier details of the victim devices.
.webp)
Analysis of the C2 server by Lookout revealed its purchase on March 18th, 2019, from a distributor in the United Arab Emirates, likely serving Yemen.
The codebase itself was primarily English, but the user interface and messages indicated Modern Standard Arabic usage.
The timezone was set to “Asia/Baghdad” (GMT+3) and the project was named “Project 500” locally, while log entries suggested the targets were Pro-Hadi forces, Yemen’s internationally recognized government, further corroborated by an exfiltrated document referencing the Yemeni Ministry of Defense.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
