Keypoints
- Starry Addax conducts spear-phishing to deliver links that redirect to attacker-controlled sites (ondroid[.]site / ondroid[.]store) which serve the FlexStarling APK or credential-harvesting login pages.
- FlexStarling impersonates the Sahara Press Service mobile app and requests wide Android permissions (e.g., READ_CALL_LOG, READ_SMS, READ_CONTACTS, RECORD_AUDIO, MANAGE_EXTERNAL_STORAGE) to collect data.
- The implant includes anti-emulation and sandbox-evasion checks (BUILD field checks and presence of emulator-specific files) to avoid analysis.
- FlexStarling uses a Firebase-based C2 and receives command codes hashed with MD5; matched commands enable actions like Download, Delete, Drop (upload to Dropbox), DECRYPT (AES-decrypt a DEX), and reflective DEX loading.
- Download and execution behavior: the malware can download files to the Downloads directory, decrypt DEX files within the package, and reflectively load them to execute arbitrary code.
- Exfiltration is supported via the Dropbox API using C2-supplied ACCESS TOKENs and paths; numerous operational artifacts (domains, short links, hashes) are published as IOCs.
- Talos notes the campaign appears bespoke and early-stage, with custom infrastructure and likely further development and variants planned.
MITRE Techniques
- [T1566.002] Spearphishing Link – Used to deliver shortened links that redirect victims to attacker-controlled sites serving the APK or credential pages (“The email … consists of a shortened link to an attacker-controlled website and domain”).
- [T1204.002] User Execution: Malicious Link – Targets are tricked into installing a malicious Android application (“tricking their targets into installing malicious Android applications we’re calling “FlexStarling.””).
- [T1497.001] Virtualization/Sandbox Evasion – The implant checks BUILD fields and for emulator files to detect and avoid analysis (“it checks the BUILD information for keywords … checks for the following keywords” and lists emulator-related files).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication uses Firebase and web services to receive commands (“FlexStarling with a Firebase-based C2” and the C2 supplies command codes and variables).
- [T1105] Ingress Tool Transfer – The implant supports downloading files specified by the C2 into the device’s Downloads directory (“Download a file specified by a URL to the Downloads directory.”).
- [T1567.002] Exfiltration to Cloud Storage – The malware uploads local files to attacker-controlled Dropbox locations using tokens provided by the C2 (“Upload a local file to the attacker’s dropbox folders using the Dropbox API. The ACCESS TOKEN … is specified by the C2.”).
- [T1056] Input Capture / Collection – FlexStarling requests permissions to read call logs, SMS, contacts, and record audio to collect sensitive information (“Some of these permissions … READ_CALL_LOG, READ_EXTERNAL_STORAGE, READ_SMS, READ_CONTACTS, WRITE_EXTERNAL_STORAGE, INTERNET, ACCESS_NETWORK_STATE, RECORD_AUDIO, READ_PHONE_STATE”).
- [T1620] Reflective Code Loading / Dynamic Code Loading – The implant decrypts DEX files in the package and reflectively loads them for execution (“Decrypt a dex file located in the application package directory and reflectively load it.”).
Indicators of Compromise
- [File Hash] FlexStarling samples – f7d9c4c7da6082f1498d41958b54d7aeffd0c674aab26db93309e88ca17c826c, ec2f2944f29b19ffd7a1bb80ec3a98889ddf1c097130db6f30ad28c8bf9501b3
- [Domain] Attacker infrastructure – ondroid[.]site, ondroid[.]store
- [Cloud C2] Firebase realtime DB used for C2 – runningapplications-b7dae-default-rtdb[.]firebaseio[.]com
- [Shortened URL] Phishing redirect examples – bit[.]ly/48wdj1m, bit[.]ly/48E4W3N
- [Download URLs / Paths] Hosted APK paths – www[.]ondroid[.]store/aL2mohh1, www[.]ondroid[.]store/ties5shizooQu1ei/
FlexStarling infection proceeds from targeted spear-phishing emails containing shortened links that redirect victims to an attacker-controlled site (ondroid[.]site / ondroid[.]store). The landing page behavior is OS-detected: Android devices are served an APK masquerading as the Sahara Press Service (SPSRASD) app, while Windows visits are redirected to fake social-media login pages for credential harvesting. Once installed, the APK requests broad permissions (including READ_CALL_LOG, READ_SMS, READ_CONTACTS, RECORD_AUDIO, and MANAGE_EXTERNAL_STORAGE) to harvest communications and files. The implant performs multiple anti-analysis checks—inspecting BUILD fields for emulator indicators (e.g., “Genymotion”, “google_sdk”, “vbox86”) and searching for emulator-specific files (e.g., /dev/socket/qemud, init.nox.rc)—and abstains from operation if those checks fail, improving stealth.
The malware communicates with a Firebase-based C2 to receive command codes, which it matches by computing MD5 hashes against hardcoded values; supported commands include Download (fetch a URL to the Downloads directory), Delete (remove a specified path), Drop (read a local file and upload it to Dropbox using a C2-supplied ACCESS TOKEN and remote path), DECRYPT (AES-decrypt a file from the package to produce “.EXEC.dex”), Check (verify presence of a file), and steps to decrypt and reflectively load DEX payloads for arbitrary code execution. The C2 supplies variables such as DURL, APPNAME, DEX, ky1–ky7, fl, ky4–ky6 to parameterize commands (e.g., DURL for download, ky3 as Dropbox ACCESS TOKEN, ky5/ky6 as AES key/IV). These behaviors enable data collection, dynamic payload delivery, and exfiltration via cloud services while maintaining a low profile.
Talos published IOCs (hashes, domains, Firebase C2, and short links) and notes the campaign appears bespoke and early-stage, with evidence of custom infrastructure and likely further development. Detection and blocking recommendations include monitoring for the listed domains and hashes, blocking the Firebase realtime DB C2 URL, and restricting installation of unsigned or untrusted APKs. Read more: https://blog.talosintelligence.com/starry-addax/