A mobile spyware campaign abusing a trojanized version of the Red Alert rocket warning Android app to target Israeli users via SMS smishing messages that impersonate official Home Front Command alerts.
The fake app keeps full rocket alert functionality so it looks and behaves like the legitimate service while silently exfiltrating sensitive data in the background.
Attackers send SMS messages spoofing “Oref Alert” and other Home Front Command–style sender IDs, urging recipients to install or “update” Red Alert due to supposed alert malfunctions or system changes.
The SMS includes a shortened bit.ly link that leads to a malicious APK named RedAlert.apk, using a package identifier such as com.red.alertx instead of the genuine app’s package name.
Users who sideload this APK from outside Google Play are effectively installing a dual-purpose app that delivers real rocket alerts while deploying spyware.
Acronis Threat Research Unit (TRU) report that this activity was first observed around March 1, 2026, after Israeli citizens posted screenshots of suspicious rocket-alert SMS messages on social media.
TRU’s analysis shows a clear timeline: the C2 domain ra-backup[.]com was registered in mid‑2025, the malicious APK appeared on VirusTotal on March 1 with low initial detections, and the campaign’s smishing lures began circulating at the same time.
This pattern is consistent with purpose‑built, disposable infrastructure spun up for a focused espionage operation.
Trojanized Red Alert App
Static and dynamic analysis reveal that the trojanized Red Alert app employs advanced runtime manipulation to bypass Android integrity checks.
Groups such as Handala and other MOIS-affiliated actors have been particularly prominent in recent years.
A loader component hooks into the system’s package manager and signature verification APIs, intercepting calls such as getPackageInfo() and faking the app’s signing certificate so that it appears to be legitimately signed and even installed via com.android.vending (Google Play).
At the same time, the app repeatedly obfuscates strings, encrypts configuration values with unique XOR keys and uses reflection to hide critical methods, complicating reverse engineering.
Architecturally, the malware follows a dual‑stage approach. The visible dropper package contains the espionage logic and an embedded copy of the legitimate Red Alert app stored inside the assets.
On launch, the loader extracts the genuine app into the app’s private directory and rewires internal runtime fields so Android executes the real alert client while the spyware runs as a hidden background component.
This design lets victims continue receiving genuine rocket notifications, greatly reducing the chance they will suspect compromise.
Once installed, the malicious app aggressively abuses permissions to collect a wide range of sensitive data from infected devices.
Android banking trojans and spyware campaigns, enabling attackers to exfiltrate sensitive messages such as one-time passwords (OTPs).
TRU notes high‑risk permissions including fine‑grained location, SMS access, contacts, device accounts, boot persistence and overlay capabilities often associated with banking trojans and mobile spyware.
When SMS or contacts permissions are granted, corresponding handlers immediately query Android content providers to dump full message histories and contact records, including phone numbers and email addresses, without additional user interaction.
The spyware also tracks precise GPS coordinates and uses geofencing logic to trigger certain actions only when a victim’s device is within specific areas, suggesting targeted surveillance of particular cities or regions.
Further routines enumerate all installed applications and harvest device accounts using reflection against Android’s AccountManager, allowing operators to profile each victim’s digital footprint and linked services.
Collected data is staged locally, then periodically exfiltrated via HTTPS POST requests to a hard‑coded C2 endpoint at api.ra-backup[.]com/analytics/submit.php, which is protected by layered string obfuscation and appears to be purpose‑built for this campaign.
Likely Arid Viper involvement
Multiple vendors assess that the campaign is likely linked to Arid Viper (APT‑C‑23), a Hamas‑aligned cyber‑espionage group with a long history of Android spyware operations against Israeli targets.
The use of a trojanized civilian Android app, intensive surveillance capabilities and tailored targeting of Israeli mobile users during periods of rocket fire are consistent with this group’s past tradecraft.
In the Unflush() method, the spyware retrieves the system PackageManager and requests the full list of installed applications using a metadata flag.
While attribution remains probabilistic, the technical overlap and targeting focus point to a capable, well‑resourced threat actor.
By weaponizing a trusted emergency warning system, the operators exploit wartime fear and public reliance on critical alert infrastructure to drive installation of surveillance malware at scale.
This campaign underscores how mobile platforms and official‑looking SMS alerts can be turned into high‑impact espionage tools, and highlights the need for users to install emergency apps only from official app stores and verify any “update” prompts that arrive via unsolicited messages.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
