An alleged pro-Houthi threat group targeted at least three humanitarian organizations in Yemen with Android spyware designed to gather sensitive information.
These attacks are associated with a cluster of activities codenamed OilAlfabrings with it a new set of mobile malware that comes with its own support infrastructure, Insikt Group Recorded Future said.
The current campaign targets CARE International, the Norwegian Refugee Council (NRC) and the Saudi King Salman Center for Humanitarian Aid and Relief.
“The OilAlpha threat group is likely active and carrying out targeted activities against humanitarian and human rights organizations operating in Yemen and possibly throughout the Middle East,” the cybersecurity company said.
OilAlpha was documented for the first time in May 2023 in connection with an espionage campaign targeting development, humanitarian, media and non-governmental organizations in the Arabian Peninsula.
These attacks used WhatsApp to distribute malicious Android APK files, pretending to be associated with legitimate organizations such as UNICEF, which eventually led to the deployment of a malware called SpyNote (aka SpyMax).
The latest wave, discovered in early June 2024, includes apps claiming to be linked to humanitarian aid programs and impersonating organizations such as CARE International and NRCboth of which have an active presence in Yemen.
Once installed, these applications, which contain the SpyMax Trojan, request intrusive permissions, thereby facilitating the theft of the victim’s data.
OilAlpha’s operations also include a credential harvesting component that uses a bunch of fake login pages impersonating these organizations to collect user login information. The purpose is suspected to be espionage by accessing accounts associated with the affected organizations.
“Houthi fighters have consistently attempted to restrict the movement and delivery of international humanitarian aid and have profited from the taxation and resale of aid supplies,” Recorded Future reported.
“One possible explanation for the observed cyber targeting is that it is intelligence gathering to aid efforts to control who receives aid and how it is delivered.”
The development comes weeks after Lookout implicated the Houthi threat actor in another surveillance software operation that provides an Android data collection tool called GuardZoo on targets in Yemen and other countries of the Middle East.