Cisco Talos is disclosing a new threat actor we deemed "Starry Addax" targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware. Starry Addax conducts phishing attacks tricking their targets into installing malicious Android applications we're calling "FlexStarling." For Windows-based targets_,_ Starry Addax will serve credential-harvesting pages masquerading as login pages from popular media websites. Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation. Starry Addax has a special interest in Western Sahara The malicious mobile application (APK), "FlexStarling," analyzed by Talos recently masquerades as a variant of the Sahara Press Service (SPSRASD) App. The Sahara Press Service is a media agency associated with the Sahrawi Arab Democratic Republic. The malware will serve content in the Spanish language from the SPSRASD website to look legitimate to the victim. However, in actuality, FlexStarling is a highly versatile malware capable of deploying additional malware components and stealing information from the infected devices. Splash screen for the malicious application_._ Starry Addax's infrastructure can be used to target Windows- and Android-based users. This campaign's infection chain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers, especially human rights…Read More