A suspected pro-Houthi threat group targeted at least three humanitarian organizations in Yemen with Android spyware designed to harvest sensitive information.
These attacks, attributed to an activity cluster codenamed OilAlpha, entail a new set of malicious mobile apps that come with their own supporting infrastructure, Recorded Future’s Insikt Group said.
Targets of the ongoing campaign include, CARE International, the Norwegian Refugee Council (NRC), and the Saudi Arabian King Salman Humanitarian Aid and Relief Centre.
“The OilAlpha threat group is highly likely active and executing targeted activity against humanitarian and human rights organizations operating in Yemen, and potentially throughout the Middle East,” the cybersecurity company said.
OilAlpha was first documented in May 2023 in connection with an espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula.
These attacks leveraged WhatsApp to distribute malicious Android APK files by passing them off as associated with legitimate organizations like UNICEF, ultimately leading to the deployment of a malware strain named SpyNote (aka SpyMax).
The latest wave, identified in early June 2024, comprises apps that claim to be related to humanitarian relief programs and masquerade as entities like CARE International and the NRC, both of which have an active presence in Yemen.
Once installed, these apps – which harbor the SpyMax trojan – request intrusive permissions, thereby facilitating the theft of victim data.
OilAlpha’s operations also include a credential harvesting component that utilizes a bunch of fake login pages impersonating these organizations in an effort to harvest users’ login information. It’s suspected that the goal is to carry out espionage efforts by accessing accounts associated with the affected organizations.
“Houthi militants have continually sought to restrict the movement and delivery of international humanitarian assistance and have profited from taxing and re-selling aid materials,” Recorded Future said.
“One possible explanation for the observed cyber targeting is that it is intelligence-gathering to facilitate efforts to control who gets aid and how it is delivered.”
The development arrives weeks after Lookout implicated a Houthi-aligned threat actor to another surveillanceware operation that delivers an Android data-gathering tool called GuardZoo to targets in Yemen and other countries in the Middle East.
