Human rights activists in Morocco and Western Sahara are being targeted by a new threat actor using phishing attacks to trick victims into installing fake Android apps and serving Windows users a credential collection page.
Cisco Talos is tracking active clusters under this name Star Addaxdescribing it as primarily targeting activists associated with the Sahrawi Arab Democratic Republic (SADR).
Infrastructure for Starry Addax – ondroid[.]website and ondroid[.]store – Aimed at targeting Android and Windows users, the latter involves fake websites disguised as login pages for popular social media sites.
The adversary is believed to have been active since January 2024 and has been known to send spear phishing emails to targets urging recipients to install the Sahara News service’s mobile app or lures related to the region.
Depending on the operating system making the request, targets will either receive a malicious APK impersonating the Sahara Press Service or be redirected to a social media login page to obtain their credentials.
The new Android malware, called FlexStarling, is versatile and capable of delivering additional malware components and stealing sensitive information from infected devices.
Once installed, it requests victims to grant it broad permissions, allowing the malware to perform malicious actions, including obtaining commands to execute from Firebase-based command and control (C2), indicating that threat actors are looking to stay on the radar. down flight.
“Campaigns like this that target high-value individuals are typically intended to sit quietly on a device for an extended period of time,” Talos said.
“Every component from the malware to the operational infrastructure appears to be customized for this specific campaign, indicating a strong focus on stealth and operating under the radar.”
The development comes amid the emergence of a new commercial Android remote access Trojan (RAT) known as Oxkrat It is for sale and has a variety of information gathering features.
