GuardZoo, an Android RAT targeting Middle Eastern military personnel since October 2019, leverages social engineering tactics like military-themed lures on WhatsApp to trick victims into downloading.
It is linked to Houthi actors, steals photos, documents, location data, and device information, and by exploiting persistence mechanisms (GuardZoo’s namesake) and using AnimalCoop/MainZoo class names, it maintains access for continuous data exfiltration.
Researchers have identified over 450 victims across Yemen, Saudi Arabia, and other Middle Eastern countries, and the malware can also download additional invasive malware, further compromising the infected devices.
They had discovered a new Android surveillanceware, GuardZoo, targeting military personnel in the Middle East since October 2019.
GuardZoo leverages social engineering tactics with military themes to lure victims and is based on the previously known Dendroid RAT.
The malware can steal data, including photos, GPS locations, and files potentially containing military operations details. While GuardZoo doesn’t appear on Google Play, Lookout reported its findings to Google for further investigation.
A modified version of Dendroid RAT spyware utilizes a custom ASP.NET C2 server instead of the leaked Dendroid RAT PHP web panel, communicates through two C2 addresses and can receive over 60 commands, most of which are exclusive to GuardZoo.
It can download and dynamically load DEX files from the C2 server for flexible updates without requiring a full APK update. While this DEX loading functionality was deprecated in April 2023, the code remains within the app, potentially for future use.
GuardZoo, a malware targeting Yemeni military personnel, utilizes dynamic DNS domains registered to YemenNet for its C2 server, as communication occurs over HTTPS with a self-signed certificate.
Upon infecting a device, GuardZoo exfiltrates GPS data (KMZ, WPT, RTE, and TRK files) and file metadata created after June 24th, 2017. The C2 server relays commands, including data upload, and disables local logging. Interestingly, despite the “.php” extension in URLs, the backend is built with ASP.NET on IIS 10.
Malware targets devices in Yemen and surrounding Middle Eastern countries by using lures like “Locate Your Phone” and military-themed apps to trick users into downloading it. It infects devices via WhatsApp, WhatsApp Business, and browser downloads.
Due to the server’s purchase on March 18, 2019, by a distributor in the United Arab Emirates, unsecure C2 server logs show that the victims’ IP addresses are primarily in Yemen, Saudi Arabia, and Egypt.
According to LookOut, the codebase is in English, but the user interface and messages are in Arabic, indicating the attacker likely speaks Arabic. The project timezone is set to Asia/Baghdad (GMT+3), and the project name is “Project 500.”.