OilAlpha Malicious Applications Target Humanitarian Aid Groups Operating in Yemen

Summary

Insikt Group's research reveals that OilAlpha, a likely pro-Houthi group, continues to target humanitarian and human rights organizations operating in Yemen. They use malicious Android applications to steal credentials and gather intelligence, potentially to control aid distribution. Notable organizations affected include CARE International and the Norwegian Refugee Council. This report highlights the ongoing threat and suggests mitigation strategies, such as social engineering awareness, strong passwords, and multi-factor authentication.

OilAlpha Malicious Applications Target Humanitarian Aid Groups Operating in Yemen

In May 2023, Insikt Group first shared research on OilAlpha, a pro-Houthi group that targets humanitarian organizations in Yemen using malicious Android applications. A year later, new findings reveal that OilAlpha remains active and poses a significant threat to humanitarian efforts in the region.

Our recent research identifies a fresh cluster of malicious mobile applications and infrastructure linked to OilAlpha. These applications target employees of globally recognized humanitarian organizations, including CARE International, the Norwegian Refugee Council, and the Saudi Arabian King Salman Humanitarian Aid and Relief Centre.

In June 2024, we discovered a suspicious Android file named “Cash Incentives.apk,” connected to OilAlpha's infrastructure. The app requests invasive permissions, including access to the camera, audio, SMS, contacts, and more, classifying it as a remote access trojan (RAT). Subsequent analysis identified two more malicious applications targeting the Norwegian Refugee Council and CARE International, all attempting to steal credentials and gather sensitive information.

OilAlpha's operations include a credential theft portal hosted on the domain kssnew[.]online. This portal impersonates humanitarian organizations' login pages, redirecting users to input their credentials, which are then harvested by the attackers.

To combat this threat, organizations should implement information security policies and conduct social engineering and anti-phishing awareness exercises. Strong passwords and multi-factor authentication (MFA) can significantly reduce the risk of credential theft.

Moreover, users should be cautious of direct messaging on social media and encrypted chats, verifying the authenticity of messages when possible. Recorded Future's Third-Party Intelligence module can help identify and monitor OilAlpha's activities in real time. Install the Recorded Future® Threat Intelligence Browser Extension for instant access to threat intelligence, faster alert processing in SIEM, and prioritizing vulnerabilities.

For suspicious files, Recorded Future's Malware Intelligence sandbox provides detailed analysis. It observes the file's behavior in a controlled environment to understand its network connections and system changes.

OilAlpha's activities suggest an ongoing effort to control humanitarian aid distribution in Yemen. The group's focus on targeting humanitarian organizations is likely to continue, potentially expanding beyond Yemen. Recorded Future remains committed to monitoring and reporting on these threats to help safeguard humanitarian operations in the Middle East and beyond.

To read the entire analysis, click here to download the report as a PDF.