July 9, 2024

Lookout Discovers Houthi Surveillanceware Targeting Middle Eastern Militaries

A number of animals escaping from a mobile phone
  • GuardZoo is an Android surveillanceware being used to target military personnel from Middle Eastern countries. 
  • The campaign started around October 2019 and is still active in 2024. It is named after a piece of source code that enables persistence on the device. It also uses other animal related class names such as AnimalCoop and MainZoo. 
  • Lookout attributes this activity to a Yemeni, Houthi-aligned threat actor based on the application lures, exfil data, targeting and the C2 infrastructure location.
  • While Lookout is still actively analyzing data, thus far it has seen more than 450 IP addresses that belong to victims who are primarily located in Yemen, Saudi Arabia, Egypt, Oman, the UAE, Qatar and Turkey.
  • It can collect data such as photos, documents, coordinate data files related to marked locations, routes, and tracks, the device’s location, model, cellular service carrier, and Wi-Fi configuration. 
  • It is distributed via WhatsApp, WhatsApp Business, and direct browser download and can enable the actor to deploy additional invasive malware on the infected device.

Notable capabilities

In October 2022, Lookout researchers initially discovered a surveillanceware that is still being used to target military personnel from Middle Eastern countries. The surveillanceware, dubbed GuardZoo by Lookout, is based on a commodity spyware named Dendroid RAT, which Lookout protected against since before 2022. Lookout attributes this activity to a Yemeni Houthi-aligned group based on targeting aligned with Houthi interests. 

GuardZoo uses military themes to lure victims.

The campaign started around October 2019 and is still active at the time of this report. The campaign mostly uses military themes to lure victims, but Lookout researchers also observed that religion and other themes are being used. Yemen, Saudi Arabia, Egypt and Oman are amongst the countries whose militaries have been targeted. The following is a list of applications with acquisition dates and title details.

List of GuardZoo samples with dates and titles.

Lookout reported these findings to Google. Google confirmed that based on its current detection, no apps containing this malware are found to be on Google Play. 

Technical analysis

GuardZoo is based on Dendroid RAT, a commodity spyware which was leaked online in 2014. However, many changes were made to the code base in order to add new functionalities and remove unused functions. GuardZoo doesn’t use the leaked PHP web panel from Dendroid RAT for Command and Control (C2) but instead uses a new C2 backend created with ASP.NET. 

By default, GuardZoo uses two C2 addresses, one primary: https://wwwgoogl.zapto[.]org and a backup: https://somrasdc.ddns[.]net. GuardZoo can receive more than 60 commands from the C2 — most of which are exclusive to Guardzoo and added by the threat actor. The following is a list of notable C2 commands and their functions.

List of C2 commands and functions.

GuardZoo also has the ability to download a DEX file from the C2 and dynamically load it instead of a full APK update. The URL for the latest DEX file is as follows:

<C2 Address>/updateApp?dexfile=classes.dex. 

After downloading the DEX file, it is saved in the “dex” folder inside the app data folder and then the app restarts itself to load the new DEX file. 

GuardZoo can download and dynamically load external DEX files.

This secondary payload was deprecated as of late April 2023, however the code in this secondary DEX is still present within the base application. This could be a way to future proof the app in case the developer decides to go back to its former processes.


GuardZoo has been using the same dynamic DNS domains for C2 operations since October 2019. These domains resolve to IP addresses registered to YemenNet, which change regularly. All requests to the C2 have the GET parameters “UID”, a unique victim/client ID, and “Password”, a password to verify the authenticity of the request.

Default commands for every new victim device.

When it starts running on an infected device, GuardZoo connects to the C2 to get commands and by default, the C2 sends the following four commands to every new client:

  • Upload all files with extensions KMZ, WPT, RTE and TRK that were created since 24 June 2017.
  • Set the wait time to 15 minutes if an error occurs during processing.
  • Disable local logging
  • Upload metadata (name, size, creation and modification dates) for all files.

 These extensions are related to maps, GPS and markings showing waypoints, routes and tracks. 

GuardZoo can upload the list of files on the device.

The communication with the C2 is over HTTPS, however the data inside the request body is in cleartext. The C2 server uses a self-signed HTTPS certificate with the fingerprint “51a35108b7a2c8d4a199d5c872927ee13d66b4a8." Even though the URLs have a “PHP” extension in their paths, the C2 backend is created in ASP.NET and served on IIS 10.  


Older samples of GuardZoo from 2019 and 2020 use lures with broader topics such as “Locate Your Phone” and “Anti Touch." More recent samples have military lures such as “Constitution Of The Armed Forces”, “Limited - Commander And Staff” and “Restructuring Of The New Armed Forces." Military themed apps also use military emblems from different countries such as Yemen Armed Forces and Command and Staff College of the Saudi Armed Forces. There is also a religious themed prayer app lure and an e-book themed lure.

Lookout telemetry indicates most of the detections happened in Yemen. The file paths on devices where GuardZoo samples were detected reveal initial infection vectors via WhatsApp, WhatsApp Business and browser download.

According to C2 server logs, victim IPs are scattered around Middle Eastern countries.

According to unsecured C2 server logs dating back to December 2022, victims were mostly located in Yemen, Saudi Arabia, Egypt. Also, few victims were located in Oman, United Arab Emirates, Turkey and Qatar. 

List of countries and count of unique victim devices derived from IP geolocation and mobile carrier information obtained from unsecured C2 server logs of a single day.

Logs also contained the IP addresses of the victim devices and their mobile carrier details. The table above provides the list of countries and count of unique victim devices derived from IP geolocation and mobile carrier information obtained from unsecured C2 server logs of a single day. IP addresses known to be used by VPN providers and known proxies were omitted. 


The serial number of the C2 server reveals the purchase date and shipment country details.

Logs also revealed the serial number of the C2 server. Querying this serial number on the manufacturer support website shows that this server was shipped on 18 March 2019 by a distributor in the United Arab Emirates which serves Yemen and nine other countries in the region. There is a possibility that the server might have changed hands before being used for this campaign. However, this is an unlikely case given the relatively small time frame between the purchase date and the start date of the campaign. 

Translation: “Set the target first” and “Are you sure you want to delete command records”

The codebase for the C2 backend is mostly in English, with the exception of the user interface and messages which are in Arabic. The dialect of the Arabic text is Modern Standard Arabic according to the dialect identification component of the CAMeL Tools. The timezone for the project is set to “Asia/Baghdad” which corresponds to GMT+3. 

Timezone for the project is set to “Asia/Baghdad” and the project is named “Project500” locally.

Some of the log entries indicate devices belonging to Pro-Hadi forces, which is the military branch of the internationally-recognized government temporarily located in Aden. The contents of one exfiltrated document translated to “Very Confidential, Republic of Yemen, Ministry of Defense, Chief of the General Staff, War Operations Department, Insurance division.“

Lookout researchers attribute this campaign to a Yemeni Houthi-aligned threat actor based on the application lures, logs, targeting and the C2 infrastructure location.


Special thanks to Justin Albrecht for their contributions to this discovery.

Indicators of Compromise























C2 Servers




Alemdar Islamoglu

Staff Security Intelligence Researcher

Alemdar Islamoglu is a security intelligence engineer at Lookout who focuses on mobile threats and related threat actors. He has prior experience in reverse engineering, pentesting, and security software development. He also enjoys organizing and participating in capture the flag competitions when he can find the time.

Kyle Schmittle

Senior Security Intelligence Researcher

Kyle Schmittle is a security researcher with a primary focus on mobile threat discovery and attribution. As part of Lookout's Threat Intelligence team he works to discover and track threat actors and their targets, and provide accurate research and reporting on these issues. Kyle has over 15 years of experience tracking and reporting on cyber threat actors and other issues, both in the intelligence community, and most recently at Lookout.

Entry Type
In-Depth Analysis
Platform(s) Affected
Threat Type
Platform(s) Affected
In-Depth Analysis
A person with a prosthetic arm working on a computer

Identify and Prevent Threats with Lookout Threat Advisory

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging millions of devices in our global network and top security research insights to protect your organization.