The Acronis Threat Research Unit (TRU) has identified a campaign targeting Israelis. It tricks them into downloading a trojanized version of the RedAlert rocket app for Android.
-
A fake version of the popular RedAlert app (which warns citizens of incoming missiles) is being used to deploy spyware via phishing SMS messages.
-
The trojanized app functions like the real one while quietly harvesting login credentials, location data, contacts, and even one-time passwords in the background.
-
The spyware relaunches automatically after every restart, making it difficult to remove once installed.
RedAlert is an application that provides real-time emergency alerts for Israeli citizens. For example, users are notified when rockets or missiles are being fired at Israel, allowing them to find shelter.
It’s a popular emergency app that has been downloaded over 3 million times for Android.
Security researchers from Acronis TRU discovered that a malicious version of the app has been circulating. The trojanized application mimics the legitimate RedAlert app while running malicious code in the background.
Has your password leaked?
Israeli users are being contacted via SMS messages, pretending to be the official Home Front Command communications office. The message urges users to download an update for the RedAlert app due to an alleged alert malfunction. It contains a bit.ly link, hiding the attackers’ intentions.
Instead of taking users to the Google Play Store to download a legitimate update, it redirects them to download spyware that collects personal and sensitive information from users’ Android devices, including login credentials, location data, and contact information. This information is then sent to an adversary-controlled command-and-control (C2) server that manages the spyware.
By examining the AndroidManifest.xml, the cybersecurity firm found that the spyware requests a total of 20 permissions, of which six are considered extremely sensitive due to their potential for abuse, such as access to the owner’s location, SMS messages, contact information, and accounts stored on the device.
The malware also allows the operators to create phishing overlays on top of other applications. This enables them to steal one-time passwords, credentials, and account numbers.
Rebooting doesn’t help get rid of the spyware, as it automatically relaunches after each reboot.
According to Acronis, the spyware may be linked to Arid Viper, a Hamas-linked cyberespionage group that’s also known as APT-C-23. This assessment is supported by several indicators, including the use of a trojanized Android application, the focus on Israeli targets, and spyware functionality consistent with capabilities previously attributed to this group.
“This campaign illustrates how trusted emergency infrastructure can be exploited during periods of conflict to amplify the effectiveness of social engineering and facilitate data collection. By embedding spyware within a fully functional alert application, the operators were able to preserve user trust while covertly collecting sensitive information,” Acronic TRU concluded.
It remains unknown how many Israelis have been affected by the spyware campaign.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked