FlexStarling Mobile Malware Targets Specialized Victims in Africa
Human rights activists in Morocco and the Western Sahara region face a new threat from malicious actors who are using phishing tactics to deceive victims into downloading fake Android applications and accessing deceptive web pages to steal login credentials from Windows users.
Cisco Talos has identified this threat campaign as Starry Addax, which primarily targets activists associated with the Sahrawi Arab Democratic Republic (SADR). The infrastructure utilized by Starry Addax, namely ondroid[.]site and ondroid[.]store, is tailored to exploit both Android and Windows users. For Windows users, the attackers set up fake websites resembling popular social media platforms to trick individuals into divulging their login details.
Although specific websites targeted by these credential theft attacks cannot be disclosed due to ongoing investigations, Talos revealed that the threat actors are creating their own infrastructure to host counterfeit login pages for widely used media and email services.
Profiling the Entity Behind FlexStarling
The adversary, active since January 2024, employs spear-phishing emails to entice targets into installing what appears to be the Sahara Press Service's mobile app or a related decoy app. Depending on the operating system, victims are either presented with a malicious APK masquerading as the Sahara Press Service app or redirected to a fake social media login page to harvest their credentials.
The newly identified Android malware, FlexStarling, is multifaceted and capable of deploying additional malware components and extracting sensitive data from infected devices. Once installed, FlexStarling requests extensive permissions, enabling it to carry out various malicious activities, including receiving commands from a Firebase-based command-and-control (C2) server, a tactic used to evade detection.
Talos warns that campaigns targeting high-profile individuals like this one often aim to remain undetected on devices for extended periods.