According to a recent report published by Recorded Future, the OilAlpha cyberespionage group is targeting primarily humanitarian groups, media outlets, and nonprofit organizations operating within the Arabian Peninsula. The group is believed to have strong connections to Yemen's Houthi movement.
The modus operandi of this campaign involves the utilization of WhatsApp as a means to infiltrate and compromise these entities, thereby posing a significant threat to their digital security.
Diving into details
OilAlpha primarily focuses on exploiting vulnerabilities in widely available Android phones in the region.
- Between April and May 2022, OilAlpha targeted political representatives and journalists involved in the Yemeni civil war negotiations by sending malicious Android files via WhatsApp.
- The group employed remote access tools, such as SpyNote and SpyMax, to install mobile spyware. These tools grant unauthorized access to call logs, SMS data, contact information, network details, camera, audio functionalities, as well as GPS location data.
- The group, furthermore, engaged in application spoofing, mimicking prominent humanitarian organizations (UNICEF), the Norwegian Refugee Council, and the Red Crescent Society, which are actively involved in disaster response and humanitarian work in Yemen.
Latest threats to Android
- FluHorse is a new type of Android malware that disguises itself as a genuine application and has already been downloaded by over one million users. The malware is designed to steal personal information such as usernames, passwords, and 2FA codes through phishing and bypassing 2FA.
- A new attack campaign, in April, was found targeting Android mobile devices in India using malware delivered via popular messaging apps such as WhatsApp. The malware was linked to DoNot APT, known for carrying out cyberespionage attacks in South Asia.
- The same month, the Android banking trojan Chameleon was found impersonating the popular cryptocurrency app CoinSpot and other well-known applications to steal user credentials. Chameleon is still in its early stages of development and comes with limited capabilities, but it can disable Google Play Protect and is equipped with a lock grabber to steal device passwords.
The bottom line
Unless significant new information emerges or substantial geostrategic shifts occur, OilAlpha is expected to persist in utilizing malicious Android-based applications to target entities involved in Yemen's political and security developments, as well as those operating within the humanitarian and NGO sectors. Researchers, moreover, suggest implementing robust policies, conducting anti-phishing and social engineering awareness exercises, using strong passwords, and enabling MFA to stay safe from such threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f4d7_shutterstock_1242117157_2.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/e2f3_shutterstock_2297617523.jpg)
