An alleged pro-Houthi faction has targeted a minimum of three humanitarian entities in Yemen utilizing Android spyware engineered to extract sensitive data.
These incursions, linked to a threat actor cluster dubbed OilAlpha, involve a novel array of nefarious mobile applications supported by their own infrastructure, according to Recorded Future’s Insikt Group.
Victims of this ongoing onslaught encompass CARE International, the Norwegian Refugee Council (NRC), and the Saudi Arabian King Salman Humanitarian Aid and Relief Centre.
“The OilAlpha collective is highly likely operational and conducting targeted maneuvers against humanitarian and human rights organizations functioning in Yemen, and potentially across the broader Middle East,” the cybersecurity entity declared.
OilAlpha was initially chronicled in May 2023 in relation to an espionage campaign targeting developmental, humanitarian, media, and non-governmental organizations within the Arabian Peninsula.
These operations employed WhatsApp to disseminate malicious Android APK files, masquerading them as affiliated with reputable organizations such as UNICEF, ultimately deploying a malware variant named SpyNote (also known as SpyMax).
The most recent surge, detected in early June 2024, comprises applications purportedly linked to humanitarian relief endeavors, impersonating entities like CARE International and the NRC, both of which maintain an active presence in Yemen.
Upon installation, these applications – which conceal the SpyMax trojan – demand intrusive permissions, thereby enabling the exfiltration of victim data.
OilAlpha’s stratagems also encompass credential harvesting, employing an array of counterfeit login pages mimicking these organizations to capture users’ authentication information. It is postulated that the objective is to facilitate espionage by gaining access to accounts tied to the compromised organizations.
“Houthi insurgents have persistently attempted to impede the movement and delivery of international humanitarian aid, profiting from taxing and reselling aid materials,” Recorded Future stated.
“One plausible rationale for the observed cyber targeting is intelligence-gathering to streamline efforts to control who receives aid and the method of its distribution.”
This development surfaces weeks after Lookout implicated a Houthi-aligned threat actor in another surveillanceware operation deploying an Android data-collection tool dubbed GuardZoo to targets in Yemen and other Middle Eastern nations.
