Malicious OilAlpha apps target aid groups in Yemen

An alleged pro-Houthi armed group entity called OilAlpha continues to target humanitarian and human rights that conduct various aid missions in Yemen.

According to reports, the group deploys malicious Android applications to steal credentials and collect intelligence from targeted users. Some of the confirmed targets of this threat group are the Norwegian Refugee Council and CARE International.

 

OilAlpha has been a persistent threat to various humanitarian aid groups in Yemen.

 

The OilAlpha campaign, which targets these humanitarian groups in Yemen, started around May last year. However, researchers recently discovered a new app that still poses a significant threat to humanitarian missions in the country.

Investigations revealed that the group has a new cluster of malicious mobile apps and infrastructure linked to OilAlpha. These applications are aimed at employees of internationally recognised humanitarian organisations such as the Saudi Arabian King Salman Humanitarian Aid and Relief Centre and the other two entities mentioned above.

Last month, the researchers detected a hostile Android file called “Cash Incentives[.]apk,” which was linked to OilAlpha’s infrastructure. The program wants admin-level permissions, such as camera, audio, SMS, contacts, and more, implying that the app could contain a remote access trojan (RAT).

Further observation of the activity also uncovered two more malicious applications targeting the Norwegian Refugee Council and CARE International, all of which attempted to steal credentials and sensitive data.

The group’s malicious operation includes a credential theft portal using the domain kssnew[.]online. This webpage impersonates the login pages of humanitarian groups, prompting users to enter their credentials, which the attackers can record and collect.

Hence, businesses, especially humanitarian organisations in Yemen, should generate information security policies and conduct social engineering and anti-phishing awareness training for members and employees. Additionally, strong passwords and multi-factor authentication (MFA) can increase security and lessen the chances of infection.

Users should be cautious when engaging in direct messaging apps and encrypted conversations and check the legitimacy of messages. Lastly, refrain from immediately providing personal details or credentials to new applications and avoid granting device privileges, especially if they are unnecessary for the app’s role.