Trojanized Red Alert App Spreads Spyware Through Smishing Campaign Targeting Israeli Users

By Ash K
Trojanized Red Alert App Spreads Spyware Through Smishing Campaign Targeting Israeli Users

Security researchers have uncovered a sophisticated mobile spyware campaign targeting Israeli users through fraudulent SMS messages impersonating Israel’s Home Front Command. The operation distributes a trojanized Android version of the Red Alert rocket warning application, a widely used tool that notifies civilians of incoming missile threats.

The campaign was identified by the Acronis Threat Research Unit (TRU), which reported that the malicious application preserves the legitimate alert functionality while secretly running spyware in the background.

Smishing Campaign Impersonates Emergency Alerts

Attackers deliver the malware through smishing messages that appear to come from Israel’s Home Front Command. The SMS messages include shortened links directing recipients to download what appears to be the official Red Alert mobile application.

Because the Red Alert system is a trusted emergency notification service used during missile attacks, the social engineering tactic significantly increases the likelihood that victims will install the application without suspicion.

The downloaded APK file installs normally and even loads the legitimate Red Alert interface, allowing the application to appear authentic while malicious processes operate in the background.

Spyware Hidden Behind Legitimate Functionality

Researchers found that the trojanized application maintains the original alert functionality by loading components from the legitimate Red Alert application package. This allows the malware to function normally from the user’s perspective while simultaneously executing hidden surveillance activities.

Behind the scenes, the spyware monitors device permissions and begins harvesting sensitive data immediately after installation. The collected information includes SMS messages, contact lists, device accounts, GPS location data, and details about installed applications.

The data is stored locally on the device before being periodically transmitted to attacker-controlled infrastructure.

Advanced Evasion Techniques Used

The spyware incorporates several techniques designed to evade detection and bypass Android security protections. Researchers observed the use of certificate spoofing and dynamic proxy hooks that manipulate the Android Package Manager in order to bypass signature verification checks.

The application also uses multiple layers of code obfuscation and encryption, including Base64 encoding combined with XOR-based string obfuscation, to conceal the malware’s functionality.

Additionally, the malware leverages Android broadcast events such as BOOT_COMPLETED to automatically relaunch itself after a device reboot, ensuring continued persistence on infected systems.

Continuous Data Exfiltration

Once installed, the spyware continuously collects sensitive device information and transmits it to its command-and-control infrastructure. The malware communicates with a remote server using encrypted HTTP requests, allowing attackers to receive batches of harvested data.

Researchers say the exfiltrated data includes personal communications, location information, device identifiers, and account data, providing attackers with a detailed profile of the compromised device and its user.

Indicators of Compromise

Security teams monitoring potential infections should be aware of the following indicators associated with the campaign:

  • Malicious Android package: com.red.alertx
  • Trojanized APK: RedAlert.apk
  • SHA256 hash: 83651b0589665b1126870858bfe2832ca317ba75e700c91ac34025ee6578b72
  • C2 infrastructure: hxxps://api[.]ra-backup[.]com/analytics/submit[.]php
  • Domain used by attackers: ra-backup[.]com
  • Delivery method: SMS messages containing shortened Bitly links

Targeted Surveillance Campaign

The campaign appears designed for targeted surveillance rather than mass infection. By disguising the spyware within a trusted emergency alert application, attackers increase their chances of infiltrating devices belonging to individuals who rely on the system for real-time security warnings.

Researchers warn that campaigns like this highlight how threat actors are increasingly exploiting trusted applications and government communication channels to conduct espionage and intelligence collection.

Security Recommendations

Users are advised to install mobile applications only from trusted sources such as official app stores and to avoid downloading APK files from links received via SMS or messaging platforms. Organizations should also monitor mobile devices for unusual network communications and unauthorized application installations.

The findings and technical analysis of this campaign were published by the Acronis Threat Research Unit, which continues to monitor the infrastructure associated with the operation.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.