A recent mobile espionage campaign has been uncovered, taking advantage of civilian anxieties during the ongoing Israel-Iran conflict. Attackers are distributing a trojanized version of Israel's official Red Alert rocket warning app through SMS phishing techniques.
This malicious operation, identified by CloudSEK and named RedAlert, bypasses the Google Play Store. Instead, it tricks victims into sideloading a counterfeit update that closely resembles the legitimate application from the Israel Defense Forces Home Front Command.
The fraudulent app not only mimics the authentic interface but also continues to deliver real rocket alerts while running a surveillance payload in the background.
In contrast to the official version, which only requires notification access, the weaponized variant aggressively requests high-risk permissions, such as access to SMS messages, contacts, and precise GPS location data.
Researchers noted that the malware employs advanced anti-detection techniques. It spoofs the original app's 2014 signing certificate and falsifies installation data to make it appear as if it was downloaded from the Play Store.
By manipulating Android's internal package manager through reflection and proxy hooks, the software circumvents standard integrity checks and hides secondary payloads embedded within the application.
Multi-Stage Infection Chain
The infection process unfolds in three stages:
-
An initial loader that conceals the application and extracts hidden assets.
-
A dynamically loaded intermediate payload stored as an internal file.
-
A final executable component that activates spyware capabilities and command-and-control communication.
Once operational, the malware continuously monitors permission changes. The moment a user grants access to any sensitive feature, data harvesting begins. Stolen information, including entire SMS inboxes, contact lists, and real-time location coordinates, is staged locally before being transmitted to attacker-controlled servers via repeated HTTP POST requests.
Strategic And Physical Security Risks
Network analysis has linked outbound traffic to infrastructure hosted on AWS and routed through Cloudflare, concealing the operators' backend systems. The command-and-control (C2) endpoint api.ra-backup[.]com was observed receiving exfiltrated data.
The researchers at CloudSEK cautioned that this campaign presents more than just a typical cyber threat. Continuous GPS tracking during active air raids could reveal civilian shelter locations or track military reservists' movements. Additionally, intercepted SMS messages may allow attackers to bypass two-factor authentication or conduct targeted psychological operations.
Beyond espionage, this operation threatens public trust. By hijacking the branding of a critical emergency application, it risks undermining confidence in official alert systems at a time when civilians rely on them the most.
In response, security teams recommend immediate device isolation, revocation of administrative privileges, and, in many cases, a full factory reset to eliminate the malware. Network administrators are advised to block known malicious domains and restrict the sideloading of applications through mobile device management policies.
