Human rights activists in Morocco and the Western Sahara area are the targets of a brand new menace actor that leverages phishing assaults to trick victims into putting in bogus Android apps and serve credential harvesting pages for Home windows customers.
Cisco Talos is monitoring the exercise cluster underneath the title Starry Addax, describing it as primarily singling out activists related to the Sahrawi Arab Democratic Republic (SADR).
Starry Addax’s infrastructure – ondroid[.]website and ondroid[.]retailer – is designed to focus on each Android and Home windows customers, with the latter involving faux web sites masquerading as login pages for common social media web sites.
The adversary, believed to be energetic since January 2024, is understood to ship spear-phishing emails to targets, urging recipients to put in Sahara Press Service’s cellular app or a related decoy associated to the area.
Relying on the working system from the place the request is originating from, the goal is both served a malicious APK that impersonates the Sahara Press Service or redirected to a social media login web page to reap their credentials.
The novel Android malware, dubbed FlexStarling, is flexible and geared up to ship extra malware parts and steal delicate data from contaminated units.
As soon as put in, it requests the sufferer to grant it intensive permissions that enable the malware to carry out nefarious actions, together with fetching instructions to be executed from a Firebase-based command-and-control (C2), an indication that the menace actor is trying to fly underneath the radar.
“Campaigns like this that focus on high-value people often intend to take a seat quietly on the machine for an prolonged interval,” Talos mentioned.
“All parts from the malware to the working infrastructure appear to be bespoke/custom-made for this particular marketing campaign indicating a heavy deal with stealth and conducting actions underneath the radar.”
The event comes amid the emergence of a brand new business Android distant entry trojan (RAT) referred to as Oxycorat that is being supplied on the market with numerous data gathering capabilities.
