New mobile malware masquerading as a news app has been spotted targeting human rights activists associated with the Sahrawi Arab Democratic Republic (SADR), a partially recognized state in the western part of the Sahara desert.
Researchers at Cisco Talos and the Yahoo Advanced Cyber Threats Team uncovered the malicious Android mobile app, which pretends to be a variant of the Sahara Press Service app, run by a media agency associated with SADR.
In a spying campaign that Talos believes began this January and appears to be in its nascent stages, the custom-built app has been distributed via spearphishing emails sent to human rights activists in Morocco and SADR, also known as the Western Sahara.
Talos assessed that the app and surveillance infrastructure for the campaign were custom-made, suggesting “a heavy focus on stealth and conducting activities under the radar.” The app itself displays legitimate news content from the press service, but also allows the attackers to steal information from the target’s Android device and execute arbitrary code.
From the article:
The app is ”still functional,” explained Vitor Ventura, a lead security researcher at Talos. “If you want to read the news on it, you can read the news on it, but at the same time someone else will read other stuff from your phone,” he explained.
That the threat actor — which Talos calls “Starry Addax” — is not using “commodity malware or commercially available spyware indicates the threat actor is making a conscious effort to evade detections and operate without being detected.”
Ventura told Recorded Future News the campaign appeared to be targeting the same people previously targeted by NSO Group spyware, as alleged by Amnesty International. He said it wasn’t possible to assess whether the app’s developers and operators were the same people, and that Talos could not identify who the operators were.
“Unless you have collaboration either from the victims, or from Google, it’s incredibly hard to find who is being targeted. In this case, because they were doing the initial attack via email attempting to push victims into a phishing panel, that’s how we could see what was happening,” said Ventura…
From what Talos was able to see, Ventura said he believed the malware “was developed specifically for this operation, we didn’t find any overlaps with other kinds of trojans. Of course it will get some code from other pieces that we see out there, because even the bad guys don’t have the will to reinvent the wheel when it’s already done.”
Late last year, Amnesty International alleged that Moroccan security forces unlawfully detained and sexually assaulted a Sahrawi activist. Amnesty has previously accused Moroccan authorities of using spyware to attack human rights defenders. The authorities in Morocco have denied being NSO Group customers.
The disputed territory of the Western Sahara is mostly controlled by Morocco following Spanish decolonisation in 1975, although Moroccan control is contested by a Sahrawi nationalist group known as the Polisario Front.
The Sahrawi people are an ethnic group native to the western part of the Sahara desert. The Polisario Front of Sahrawi nationalists and Morocco were engaged in a lengthy guerrilla war from 1975, following the Spanish departure, until 1991 when the United Nations brokered a peace deal.
Today the Sahrawi population is roughly equally split between mostly Moroccan-controlled territory in the Western Sahara and refugee camps in Algeria established to accommodate civilians displaced during the conflict.