FlexStarling Mobile Malware

Human rights defenders in Morocco and the Western Sahara area face a new threat from cyber attackers who employ phishing techniques to deceive victims into installing fake Android applications and presenting phony login pages to harvest credentials from Windows users. This harmful campaign revolves around a recently identified Android malware dubbed FlexStarling.

Also known as Starry Addax, cybersecurity experts are actively monitoring this threat, which specifically targets activists linked with the Sahrawi Arab Democratic Republic (SADR).

Starry Addax operates through infrastructure involving two websites - ondroid.site and ondroid.store, aimed at both Android and Windows users. For Windows users, the attackers set up counterfeit websites resembling popular social media platforms to steal login credentials.

Starry Addax Appears to Tailer Its Approach According to the Targeted Victims

The Starry Addax threat actor appears to be setting up its own infrastructure, hosting pages designed to harvest credentials, including counterfeit login pages for widely used media and email services worldwide.

This adversary, suspected to have been active since January 2024, employs spear-phishing emails to target individuals, encouraging them to download either the Sahara Press Service's mobile application or a related decoy relevant to the region.

Upon analyzing the operating system of the requesting device, the victim is directed to either download a fraudulent APK posing as the Sahara Press Service application or redirected to a fake social media login page, where their credentials are harvested.

FlexStarling Emerges on the Android Malware Front

The newly discovered Android malware, FlexStarling, boasts versatility and is designed to deploy additional malicious components while clandestinely extracting sensitive information from compromised devices.

Upon installation, FlexStarling prompts the user to grant extensive permissions, enabling the malware to execute a range of unsafe activities. It can receive commands from a Firebase-based Command-and-Control (C2) server, indicating a deliberate effort by the threat actor to evade detection.

Such campaigns, particularly those targeting high-profile individuals, typically aim to remain undetected on the device for an extended duration.

Every aspect of this malware, from its components to the operational infrastructure, appears to be tailor-made for this specific campaign, highlighting a strong emphasis on stealth and conducting covert operations.

The Starry Addax May Be Building an Arsenal of Custom Malware Tools

The latest discoveries reveal an intriguing development: Starry Addax has chosen to construct its own array of tools and infrastructure for targeting human rights activists rather than relying on pre-made malware or commercially available spyware.

Although the attacks are still in their early operational stages, the Starry Addax has deemed the supporting infrastructure and malware, known as FlexStarling, sufficiently developed to initiate targeting of human rights activists in North Africa.

The timeline of events, including the establishment of drop points, Command-and-Control (C2) centers, and the development of malware since early January 2024, suggests that Starry Addax is swiftly building its infrastructure to target high-profile individuals and is poised to gain momentum in its operations.