BOSTON--(BUSINESS WIRE)--Lookout, Inc., the data-centric cloud security company, today announced the discovery of Android surveillanceware that is actively targeting military personnel in Middle Eastern countries. Dubbed GuardZoo by Lookout, this campaign leverages malicious apps with military and religious themes to lure victims via social engineering on mobile devices. While Lookout is still actively analyzing data, thus far it has seen more than 450 IP addresses belonging to victims primarily located in Yemen, Saudi Arabia, Egypt, Oman, the United Arab Emirates (UAE), Qatar and Turkey. Based on application lures, targeting and threat actor-controlled server locations, Lookout attributes GuardZoo to a Yemeni, Houthi-aligned threat actor. In January 2024, the U.S. government re-designated the Houthi militia as a Specially Designated Global Terrorist group.
Threat Discovery Highlights:
- Distribution appears to occur via social engineering in WhatsApp, WhatsApp Business, and mobile browsers.
- GuardZoo collects data such as photos, documents, location data, saved GPS routes and tracks, device model number, mobile carrier and Wi-Fi configuration from infected devices.
- Most of the victims appear to be in Yemen. Based on findings, researchers believe that many are members of Pro-Hadi forces.
GuardZoo is based on a commodity spyware named Dendroid RAT, which Lookout protects its customers against. As is frequently the case, the developers behind GuardZoo took an existing malware family and created a new variation of it with updated capabilities. In this case, one interesting capability is that GuardZoo can act as a conduit between the threat actor and the victim’s device allowing the threat actor to download additional malware to the infected device. This could introduce additional invasive capabilities that would benefit the threat actor.
Researchers also noticed that recent samples of GuardZoo pose as religious, e-book, and military-themed apps such as “Constitution of the Armed Forces,” “Limited - Commander and Staff” and “Restructuring of the New Armed Forces." When observing log entries, the targeting of military personnel was solidified with the discovery of exfiltrated documents belonging to military leadership. For example, one document’s title translated to “Very Confidential, Republic of Yemen, Ministry of Defense, Chief of the General Staff, War Operations Department, Insurance Division.”
“The discovery of GuardZoo is a reminder of the growing threat posed by advanced surveillanceware,” said Aaron Cockerill, Executive Vice President of Product & Security, Lookout. “These spyware packages can be used to collect a wide range of data from infected devices, which in the case of GuardZoo, could put military personnel and operations at risk. We urge security professionals to be aware of this threat and to take steps to protect their users, and work and personal data.”
To protect both business and personal Android devices from GuardZoo and other surveillanceware, Lookout recommends the following basic steps that anyone can take.
- Keep your operating system and apps up to date, as most updates nowadays are related to security patches.
- Only install apps from Google Play, not third-party sources. If you receive a message asking you to install an app from a website, immediately block the number and report the incident to your IT or Security team.
- Be mindful of the permissions that mobile apps ask for. Overly invasive permissions, even from legitimate apps, could create data risk for your organization.
- Implement a mobile security solution, like Lookout, that can detect and protect against malware and keep your organization safe.
Lookout Threat Lab researchers actively track both spyware and provide coverage to Lookout Mobile Endpoint Security customers. The Lookout Security Cloud uses AI to analyze mobile data by leveraging machine learning algorithms and analyzing telemetry obtained from more than 325 million apps, 220 million devices and 450 million sites. With the world's largest dataset of mobile security information, Lookout can identify complex patterns and behaviors in real time that indicate risk, providing unparalleled protection for mobile devices. Lookout secures customers against phishing, app, device, and network threats in a manner that respects user privacy.
To learn more about GuardZoo, read the Lookout Threat Lab blog.
Additional Resources:
- Learn more about the Lookout Mobile Endpoint Security and the Lookout Threat Lab.
- Sign up for a complimentary Data Risk Assessment.
- Listen and subscribe to Security Soapbox, the Lookout podcast covering privacy, security, and everything in between.
About Lookout
Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves. People — and human behavior — are central to the challenge of protecting data, which is why organizations need total visibility into threats in real time. The Lookout Cloud Security Platform is purpose-built to stop modern breaches as swiftly as they unfold, from the first phishing text to the final cloud data extraction. We are trusted by enterprises and government agencies of all sizes to protect the sensitive data they care about most, enabling them to work and connect freely and securely. To learn more, visit www.lookout.com and follow Lookout on our blog, LinkedIn and X.
© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.