Ddos 
Infection chain of the campaign | Image: Acronis Threat Research Unit (TRU)
The Acronis Threat Research Unit (TRU) has identified a calculated campaign distributing a trojanized version of the Red Alert rocket warning app, turning a vital safety tool into a gateway for mobile espionage.
The attack targets Israeli Android users via SMS messages that expertly impersonate official Home Front Command communications. By leveraging the urgency of real-world threats, the actors maximize the likelihood that a user will bypass standard security precautions to install the “update”.
What makes this campaign particularly insidious is its commitment to realism. The malicious application “retains full rocket alert functionality, allowing it to appear legitimate while running malicious code in the background”.
To ensure the app survives initial scrutiny, the threat actor implemented sophisticated technical workarounds:
- Certificate Spoofing: The group used spoofing and runtime manipulation “to bypass Android security checks and make the application appear legitimately signed”.
- Permission Abuse: Once the user grants the necessary permissions for the app to function as an alert system, the malware begins “collecting sensitive data, including SMS messages, contacts, location data, device accounts and installed applications”.
The malware is designed for continuous surveillance. Stolen information is staged locally on the device before being “continuously transmitted to a remote command-and-control (C2) server controlled by the attackers”.
Based on the patterns observed, Acronis researchers have linked this activity to a known threat actor: “Based on the available evidence, we assess that this campaign might be linked to Arid Viper (also known as APT-C-23). This assessment is supported by several indicators, including the use of a trojanized Android application, the focus on Israeli targets and spyware functionality”.
The group is known for its well-resourced operations and clear objectives, often utilizing “multiple layers of obfuscation” to protect its infrastructure.
By embedding spyware within a fully functional utility, the operators can maintain a persistent presence on a victim’s device without raising suspicion.
As geopolitical tensions continue to spill over into the digital realm, users are urged to only install emergency applications from official app stores rather than through links received via SMS.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
