Human rights activists in Western Sahara are being targeted by mobile malware

New mobile malware masquerading as a news app has been spotted targeting human rights activists associated with the Sahrawi Arab Democratic Republic (SADR), a partially recognized state in the western part of the Sahara desert.

Researchers at Cisco Talos and the Yahoo Advanced Cyber Threats Team uncovered the malicious Android mobile app, which pretends to be a variant of the Sahara Press Service app, run by a media agency associated with SADR.

In a spying campaign that Talos believes began this January and appears to be in its nascent stages, the custom-built app has been distributed via spearphishing emails sent to human rights activists in Morocco and SADR, also known as the Western Sahara.

Talos assessed that the app and surveillance infrastructure for the campaign were custom-made, suggesting “a heavy focus on stealth and conducting activities under the radar.” The app itself displays legitimate news content from the press service, but also allows the attackers to steal information from the target’s Android device and execute arbitrary code.

The app is ”still functional,” explained Vitor Ventura, a lead security researcher at Talos. “If you want to read the news on it, you can read the news on it, but at the same time someone else will read other stuff from your phone,” he explained.

That the threat actor — which Talos calls “Starry Addax” — is not using “commodity malware or commercially available spyware indicates the threat actor is making a conscious effort to evade detections and operate without being detected.”

Ventura told Recorded Future News the campaign appeared to be targeting the same people previously targeted by NSO Group spyware, as alleged by Amnesty International. He said it wasn’t possible to assess whether the app’s developers and operators were the same people, and that Talos could not identify who the operators were.

“Unless you have collaboration either from the victims, or from Google, it’s incredibly hard to find who is being targeted. In this case, because they were doing the initial attack via email attempting to push victims into a phishing panel, that’s how we could see what was happening,” said Ventura.

No direct view of victims

Talos has no visibility into the end-devices targeted by the campaign, although its researchers were able to unravel the infrastructure after their colleagues at Yahoo flagged the suspect Android app.

Ventura said the researchers would welcome victims coming forward for assistance.

“We, as Talos, have been pushing this message ever since we talked about Intellexa and other mercenary groups — that we are here to help, and when victims have any kind of issues, they can reach out to us and we will help them,” said Ventura.

“Every once in a while, Apple sends these notifications to users that they’re being targeted,” he added. Apple this week sent a batch of notifications to users in 92 countries that they may have been targeted by mercenary spyware.

But the problem with these alerts for victims is “you don’t know by who, you don’t know why, you don’t know when. You know almost nothing, and 90% of those victims, they don’t have the capability to do any kind of analysis,” said Ventura.

“I’m pushing the conversation to this space, because I believe the same kind of victims on this case are the ones that may be targeted by the other ones,” he added.

From what Talos was able to see, Ventura said he believed the malware “was developed specifically for this operation, we didn’t find any overlaps with other kinds of trojans. Of course it will get some code from other pieces that we see out there, because even the bad guys don’t have the will to reinvent the wheel when it’s already done.”

Late last year, Amnesty International alleged that Moroccan security forces unlawfully detained and sexually assaulted a Sahrawi activist. Amnesty has previously accused Moroccan authorities of using spyware to attack human rights defenders. The authorities in Morocco have denied being NSO Group customers.

The disputed territory of the Western Sahara is mostly controlled by Morocco following Spanish decolonisation in 1975, although Moroccan control is contested by a Sahrawi nationalist group known as the Polisario Front.

The Sahrawi people are an ethnic group native to the western part of the Sahara desert. The Polisario Front of Sahrawi nationalists and Morocco were engaged in a lengthy guerrilla war from 1975, following the Spanish departure, until 1991 when the United Nations brokered a peace deal.

Today the Sahrawi population is roughly equally split between mostly Moroccan-controlled territory in the Western Sahara and refugee camps in Algeria established to accommodate civilians displaced during the conflict.