According to a recent report published by Recorded Future, the OilAlpha cyberespionage group is targeting primarily humanitarian groups, media outlets, and nonprofit organizations operating within the Arabian Peninsula. The group is believed to have strong connections to Yemen’s Houthi movement.
The modus operandi of this campaign involves the utilization of WhatsApp as a means to infiltrate and compromise these entities, thereby posing a significant threat to their digital security.
Diving into details
OilAlpha primarily focuses on exploiting vulnerabilities in widely available Android phones in the region.
- Between April and May 2022, OilAlpha targeted political representatives and journalists involved in the Yemeni civil war negotiations by sending malicious Android files via WhatsApp.
- The group employed remote access tools, such as SpyNote and SpyMax, to install mobile spyware. These tools grant unauthorized access to call logs, SMS data, contact information, network details, camera, audio functionalities, as well as GPS location data.
- The group, furthermore, engaged in application spoofing, mimicking prominent humanitarian organizations (UNICEF), the Norwegian Refugee Council, and the Red Crescent Society, which are actively involved in disaster response and humanitarian work in Yemen.