RedAlert: Mobile Espionage Exploiting Crisis and Fear

CloudSEK has unmasked a malicious SMS spoofing campaign spreading a trojanized version of Israel’s “Red Alert” emergency app. The campaign, which targets civilians seeking real-time rocket alerts during the ongoing Israel-Iran conflict, disguises a potent surveillance engine behind a “trusted warning platform” to steal sensitive personal data.

The “RedAlert” mobile espionage campaign represents a critical threat vector that directly exploits the heightened anxiety of a hyper-vigilant population. Threat actors are distributing the malicious app via targeted smishing (SMS phishing) under the guise of an “urgent wartime update”.

This delivery mechanism is a deliberate attempt to bypass the Google Play Store, which is the only legitimate repository for the authentic “Red Alert” app. While the real app operates cleanly with only basic notification access, this trojanized version successfully deploys an “invasive surveillance engine”.

Once sideloaded, the malware perfectly mirrors the official Israeli Home Front Command application’s graphical user interface. To the end user, there is “absolutely no visual discrepancy in the core functionality,” as the app actively delivers real rocket attack alerts to maintain its disguise.

To evade detection by Android’s system integrity checks, the malware uses a sophisticated multi-stage infection process:

• Package Manager Hooking: The code uses reflection to hook the IPackageManager to cloak itself from security tools.
• Signature Spoofing: It intercepts system calls to return a hardcoded, fake signing certificate instead of the real one.
• Installer Spoofing: The app can even “intercept getInstallerPackageName and force it to return com.android.vending (the Google Play Store)”.

While the official application only requests notification access, the malicious version aggressively prompts victims for high-risk permissions—including Contacts, SMS, and Location—masking them as necessary for the app’s operation.

The moment a user approves even a single permission, the associated data harvesting module is triggered. The malware stages the collected intelligence, including complete contact lists and real-time GPS coordinates, into local files before initiating an exfiltration loop.

According to CloudSEK, “The combination of real-time civilian location tracking during active air raids and the ability to bypass 2FA through SMS interception transforms this campaign into a severe strategic and physical security risk”.

Traffic analysis confirms that the malware maintains “aggressive, persistent communication” with its Command and Control (C2) infrastructure. Data is exfiltrated via HTTP POST requests to a dedicated endpoint: https://api[.]ra-backup[.]com/analytics/submit.php.

The threat actors are leveraging Cloudflare to “proxy and shield their true backend infrastructure,” utilizing IP addresses hosted in AWS environments to facilitate their operations.