Starry Addax and FlexStarling: Android Spyware Targeting

Published March 22, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

Cisco Talos identified a threat actor called Starry Addax deploying custom Android spyware FlexStarling against targets in North Africa, using Firebase-based C2 infrastructure to evade detection. Algeria recorded over 70 million cyberattacks in 2024, ranking 17th globally, while mobile banking trojan attacks surged 196% worldwide during the same period.

Bottom Line: Algerian enterprises and mobile banking providers should immediately audit their mobile security posture and deploy mobile threat defense solutions, as the region faces increasingly sophisticated, purpose-built mobile spyware campaigns.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
▾

Algeria is directly named among the most cyberattacked countries in 2024, with 70 million attacks recorded. The Starry Addax campaign specifically targets North Africa, and Algeria’s expanding mobile banking ecosystem shares the same Android-dominant, security-awareness-gap vulnerabilities exploited by this threat actor.

Action Timeline
Immediate
▾

FlexStarling is actively deployed against North African targets, and the mobile threat landscape is worsening with a 196% surge in banking trojans globally. Algerian organizations cannot wait for future policy implementation to act on mobile security.

Key Stakeholders
Enterprise security teams, mobile banking users, financial regulators, telecom operators, ASSI, DZ-CERT

Decision Type
Tactical
▾

This article provides specific, actionable intelligence about an active threat in Algeria’s region, requiring concrete defensive measures rather than long-term strategic planning.

Priority Level
Critical
▾

Algeria faces an active, sophisticated mobile threat campaign in its region while mobile banking adoption is accelerating. The gap between threat sophistication and defensive readiness creates immediate risk for millions of users.

Quick Take: Algerian enterprise security teams should deploy mobile threat defense solutions and conduct targeted security awareness training on spear-phishing and malicious APK sideloading within the next 30 days. Individual users should immediately audit their installed apps, disable unknown sources, and switch from SMS-based to app-based two-factor authentication. Financial regulators should accelerate minimum security standards for mobile banking applications before the next wave of region-specific banking trojans arrives.

A Targeted Mobile Threat Arrives in North Africa

Cisco Talos researchers identified a threat actor called Starry Addax in April 2024, revealing a campaign that specifically targets human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause in North Africa. The group deploys a custom Android spyware called FlexStarling through spear-phishing emails that lure victims into installing a trojanized mobile application.

What makes Starry Addax significant for Algeria’s broader cybersecurity landscape is not just its immediate targets but what it reveals about the mobile threat environment in the region. The group’s custom-built tools, region-specific social engineering, and deliberate evasion techniques demonstrate a level of sophistication that previews the kinds of threats Algeria’s rapidly expanding mobile ecosystem will increasingly face.

Algeria recorded over 70 million cyberattacks in 2024, ranking 17th globally among the most-targeted countries according to Kaspersky. The firm also blocked more than 13 million phishing attempts and nearly 750,000 malicious email attachments targeting Algerian users during the same period.

How Starry Addax Operates

Starry Addax has been active since January 2024, focusing its operations on individuals sympathetic to the SADR cause in Morocco and the Western Sahara region. The group’s name follows the cybersecurity naming convention of combining an animal native to the target region with a descriptive modifier. The addax is a critically endangered Saharan antelope, and “starry” references the group’s FlexStarling malware family.

The campaign’s infection chain begins with spear-phishing emails that urge targets to install what appears to be the Sahara Press Service (SPSRASD) mobile application or a related decoy relevant to the Western Sahara context. The group’s phishing infrastructure adapts based on the victim’s operating system: Android users receive the FlexStarling APK, while Windows users are redirected to a social media login page designed to harvest credentials.

What distinguishes Starry Addax from opportunistic cybercriminals is its investment in custom tooling. All components, from the malware to the operating infrastructure, appear to be custom-made for this specific campaign rather than relying on commodity tools available on underground forums. This indicates a well-resourced operation with a deliberate focus on stealth.

FlexStarling: Technical Capabilities

FlexStarling is an Android spyware designed to extract sensitive information from compromised devices while evading detection. Upon installation, the malicious APK requests extensive permissions from the Android operating system, including access to SMS messages, call logs, contacts, external storage, audio recording, phone state information, and network connectivity.

The malware’s command-and-control infrastructure relies on Firebase, Google’s mobile development platform, rather than traditional C2 servers. This architectural choice is deliberate: Firebase-based communications blend in with legitimate app traffic, making network-level detection significantly harder for security tools.

FlexStarling includes anti-analysis features that check BUILD information for keywords indicating the malware is running on an emulator or analysis sandbox. This complicates reverse engineering efforts by security researchers. Once established on a device, FlexStarling can receive commands from its C2 to activate or deactivate capabilities, deploy additional malware components, and exfiltrate collected data.

The permissions requested, particularly READ_SMS, READ_CONTACTS, and READ_CALL_LOG, are especially dangerous in Algeria’s context where SMS remains the primary two-factor authentication mechanism for most banking and financial services. If similar techniques were applied at scale against mobile banking users, compromised devices could give attackers the ability to intercept OTP messages and bypass two-factor authentication.

Why Algeria’s Mobile Ecosystem Is Vulnerable

Starry Addax targets a specific niche, but the vulnerabilities it exploits are systemic across Algeria’s mobile landscape.

Android dominance creates a wide attack surface. Android holds over 87% market share in Algeria. While Android’s openness is a strength for users and developers, it allows applications to be installed from any source, making users susceptible to sideloaded malware distributed through phishing. Many devices in the region run older Android versions that no longer receive security patches, creating a large population of permanently vulnerable smartphones.

Mobile financial services are expanding rapidly. Services like BaridiMob (Algerie Poste’s mobile banking platform, which launched Baridi Pay contactless payments in June 2025), CCP mobile applications, and emerging fintech platforms are bringing millions of previously cash-only users into the digital financial system. Each new mobile banking user represents a potential target, and the transition is outpacing security awareness.

Banking trojans are surging globally. Kaspersky reported that banking trojan attacks on smartphones surged 196% in 2024, and mobile banking trojan detections in the first half of 2025 were nearly four times higher than the same period the prior year. Active families like Cerberus, Anubis, and the Grandoreiro trojan, which has been documented affecting Algeria among other African countries, overlay fake login screens on legitimate banking apps to capture credentials.

Social media serves as a phishing distribution channel. With over 25 million Facebook users in Algeria as of early 2025, according to Meta advertising data, social media platforms are a major distribution vector for phishing campaigns. WhatsApp, which is ubiquitous in Algeria, amplifies the threat as malicious links shared through personal contacts carry implicit trust.

Algeria’s Defensive Framework

Algeria has been building institutional cybersecurity capabilities, though the International Telecommunication Union ranks the country at Tier 3 (“establishing”) in its 2024 Global Cybersecurity Index, reflecting structured engagement still in a consolidation phase.

National Cybersecurity Strategy 2025-2029. Approved by President Tebboune via Presidential Decree No. 25-321 on December 30, 2025, and unveiled by ASSI (the Information Systems Security Agency under the Ministry of National Defence) on March 3, 2026, the strategy pursues three main objectives: protecting critical infrastructure, securing sensitive state data, and ensuring continuity of public services. It emphasizes strengthening technical capabilities, improving inter-agency coordination, and reinforcing prevention and cyber-incident response.

Presidential Decree 26-07. Signed on January 7, 2026, and published in the Official Gazette on January 21, this decree mandates that every public institution establish a dedicated cybersecurity unit separate from IT management, reporting directly to the institution’s head. The units must design cybersecurity policies, conduct risk mapping, deploy remediation plans, and ensure compliance with personal data protection legislation. This creates accountability structures that previously did not exist in most public institutions.

Institutional architecture. Algeria’s cybersecurity framework operates through three entities: ASSI as the operational technical agency with its CNOSSI operations center, CNSSI as the strategic policy body (created by Law No. 20-05 of 2020), and DZ-CERT as the national computer emergency response team hosted by CERIST, a member of both FIRST and AfricaCERT.

However, implementation remains the critical gap. Many institutions lack the budget, expertise, or organizational commitment to fully operationalize the cybersecurity units mandated by Decree 26-07. The asymmetry between the professional-grade tools used by groups like Starry Addax and the default security posture of many Algerian organizations remains stark.

Practical Defense for Algerian Users and Enterprises

For individual users: Install applications only from the Google Play Store and disable “install from unknown sources” in Android settings. Review app permissions before installation. Keep devices updated with the latest security patches. Where services support it, use authenticator apps (Google Authenticator, Microsoft Authenticator) rather than SMS for two-factor authentication, as authenticator apps are immune to both SMS interception and SIM swap attacks.

For enterprise security teams: Deploy Mobile Device Management (MDM) solutions to enforce encryption, application whitelisting, and remote wipe capabilities. Invest in Mobile Threat Defense (MTD) tools that detect malicious applications and network-level attacks. Conduct regular security awareness training that specifically addresses mobile phishing and app vetting. Develop incident response procedures for mobile device compromise.

For national institutions: Strengthen threat intelligence sharing between DZ-CERT, ASSI, and international counterparts to enable faster detection of campaigns like Starry Addax. Prioritize mobile security education in public awareness campaigns, particularly targeting populations newly adopting mobile financial services. Mandate minimum security standards for mobile banking applications, including code obfuscation, certificate pinning, and runtime application self-protection.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

What is Starry Addax and who does it target?

Starry Addax is a threat actor identified by Cisco Talos in April 2024 that targets human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause in North Africa. The group uses custom-built Android spyware called FlexStarling, distributed through spear-phishing emails that impersonate the Sahara Press Service mobile application. While its current targets are specific, the techniques it employs are applicable to any mobile user in the region.

How does FlexStarling evade detection on Android devices?

FlexStarling uses a Firebase-based command-and-control infrastructure instead of traditional C2 servers, which makes its network communications blend in with legitimate app traffic. The malware also includes anti-analysis features that detect when it is running on an emulator or security sandbox, preventing researchers from easily studying its behavior. All components are custom-built specifically for this campaign rather than adapted from publicly available malware toolkits.

What should Algerian mobile banking users do to protect themselves?

The most effective defense is installing apps only from the Google Play Store and disabling the “install from unknown sources” setting on Android devices. Users should switch from SMS-based two-factor authentication to authenticator apps like Google Authenticator, which are immune to SMS interception. Keeping devices updated with the latest security patches is also critical, and users should be skeptical of any message creating urgency to download an application or click a link.