- Hackers distributed trojanised Israel Red Alert Android app.
- Campaign used SMS spoofing posing as Home Front Command.
- Malware stole SMS, contacts and location data.
- CloudSEK reported campaign in March 3 threat report.
Hackers are masquerading the Home Front Command in Israel to install spywareu aerobombs on Android phones transforming an emergency app that saved lives to a live surveillance platform.
Encouraging panic in close quarters during the ongoing Israel-Iran conflict, AI-driven cybersecurity company CloudSEK discovered an evil mobile campaign delivering a trojanised version of the Israel Red Alert emergency application and took the chance to install fully working spyware on Android devices.
Privacy text messaging campaign, described in a CloudSEK threat intelligence report published on March 3, involves SMS spoofing in which users are deceived into sideloading a counterfeit APK file outside of the Google Play Store posing as the Home Front Command in Israel. The messages that are spoofed seem to be sent by official civil defence communications and tell recipients to install what is presented as an emergency wartime update.
Attackers are taking advantage of urgent conflict situations to install on Android devices a trojanised application that may steal SMS, contacts and location information to transform a legitimate use of the service by people into a surveillance and theft of data threat, according to Shashank Shekhar, managing editor at CloudSEK.
Biometrics: Within the Trojan: Permissions, Payload and the Exfiltration Trail
That application is malicious, named com.red.alertx, and its interface is a faithful recreation of the real Red Alert one to ensure its disguise. This critical divergence is taking place at installation.
Whereas the legitimate application needs only the notification access, the trojanised application has high-risk permissions such as READSMS, READCONTACTS, and ACCESSFINELOCATION aggressively needed by the legitimate application. It then silently intercepts complete SMS inboxes once granted, plunders address books and sends a constant stream of GPS coordinates to initiator-controlled infrastructure.
Also Read: Amazon's Cloud Data AWS Facility in UAE Reports Outage, Denies to Link it to Iran Attacks
Exfiltration is done through the HTTP POST requests to the domain of api.ra-backup[.]com and the backend of the campaign will be handled by IP addresses that will be associated with the AWS and Cloudflare prostitutes to make it even harder to trace.
DSCE Spoofing, Proxy Hooks and multi-stage Chain of Infection Infection
The runtime scan conducted by CloudSEK demonstrated that there were several layers of evasion that were meant to make CloudSEK unable to detect.
The malware forges the signature certificate of the original app (which was signed in 2014) and replaces the install metadata to indicate a Play Store origin before using reflection and proxy hooks to tamper with the Android package manager to circumvent normal integrity checks.
A dynamically loaded second payload performs an infection chain of multi-stages, and a background thread quietly monitors and acts on approval permission grants once the installation is finished
Beyond Espionage: Physical Security Threats, Lost citizen confidence
According to CloudSEK, the threat is far much more than the traditional mobile malware. Within a live conflict situation, live tracking by GPS would reveal locations of civilian shelter, track the patterns of displaced population, or plots the concentrations of military reservists on the urban streets.
Intercepted SMS messages pose a threat of making it possible to 2FA a user, phish against a high-value individual with particular and target abilities, and conduct operations of a psychological nature. There is also a bigger strategic component to the campaign: hijacking the branding of an emergency app that civilians rely on to keep them safe puts the operation at risk of undermining people's confidence to the official alerts mechanisms at a time when trust is the most susceptible.
CloudSEK reported that the campaign is taking place in parallel with a broader hybrid attack that also consists of hacktivist intrusions and DDoS attacks - the same context of conflict that had also been targeted with countersale strikes damaging Amazon data centres in the UAE in the last week.
Guidance to the users and organisations by CloudSEK
CloudSEK wanted users to install nothing by following links provided in the SMS messages, no matter how urgent the message might sound and to install emergency applications only on the official Google Play Store.
Also Read: Anthropic Restores Claude After Widespread Outage and Elevated Errors
On the gadgets that were already suspected of being infected, the company advised that they be immediately disconnected to all the networks, all administrative permissions be removed and in most instances, a full format of the devices.
