A deceptive mobile phone campaign has been discovered by the research firm Acronis targeting people in Israel by using a fake version of a popular life-saving app. According to researchers from the Acronis Threat Research Unit (TRU), the scam involves a modified version of the Red Alert app, which is widely used to provide real-time warnings about incoming rockets.
How the Scam Works
The attack starts with a simple text message. As we know it, during times of conflict, people are much more likely to trust emergency alerts. The scammers take advantage of this by sending SMS messages that look like they are from the official Home Front Command. These messages claim there is a technical problem with the current alert system and provide a link to download an updated version.
Once a user clicks the link and installs the file, the app actually works just like the real one. It shows legitimate rocket alerts, which helps it stay hidden on the phone. However, while the app looks normal on the surface, it is secretly running malicious code in the background to steal private data.
Deep Data Theft
As per Acronis’ research blog post, shared with Hackread.com, the app asks for a total of 20 permissions, including six highly sensitive ones. Once these are granted, the software can track a user’s precise GPS location, read private text messages to intercept one-time passwords, and collect contact lists. Further investigation revealed that it also identifies all other apps installed on the phone and extracts accounts registered on the device, such as Google or email.
The Acronis team also found that the stolen data is sent back to a remote server. To make the app seem safe, the creators used certificate spoofing to trick Android security and even forced the phone to say the app was installed from the Google Play Store.
A Pattern of Deception
It is worth noting that this is not the first time this team has seen such tactics. Researchers noted that this campaign follows a pattern of using geopolitical events to trick victims. Acronis TRU observed similar activity during the January Venezuela operation, in which the China-linked group Mustang Panda reportedly used themed phishing to target officials and deploy LOTUSLITE malware.
The team also discovered the Crescent Harvest campaign last month, which targeted Iranian protestors by hiding malware inside documents that praised the demonstrations. In this latest case, which was discovered on 1 March 2026, “the urgency to install or update such an application overrides the caution users might otherwise exercise,” researchers noted. They believe the group known as Arid Viper (or APT-C-23) might be behind the attack, as the methods match their previous work targeting the region.
Israeli Alert Apps and Previous Scams
This is not the first time hackers have exploited rocket-alert applications used by Israelis. In October 2023, the pro-Palestinian hacktivist group AnonGhost claimed it had compromised the Red Alert app and used it to send fake emergency notifications, including warnings about fake rockets and even nuclear attacks.
Later that same month, researchers from Cloudflare’s Cloudforce One team uncovered a separate campaign involving a fake RedAlert-themed Android app distributed through a malicious website that closely mimicked the legitimate service. Victims who downloaded the APK believed they were installing the official Rocket Alert app, but the software was actually spyware designed to collect sensitive data from infected devices.
