NewKerala.com

Fake "Red Alert" App Spies on Users Amid Israel-Iran Conflict, Warns Cybersecurity Firm

A cybersecurity firm has uncovered a malicious campaign distributing a fake version of Israel's official "Red Alert" emergency app via SMS spoofing. The trojanised app requests high-risk permissions to intercept SMS, harvest contacts, and track GPS coordinates in real-time. The malware uses advanced evasion techniques, including signature and installer spoofing, to appear legitimate. Researchers warn the spyware poses severe risks, from bypassing two-factor authentication to exposing civilian movements during air raids.

Key Points: Fake Red Alert App Spyware Spreading via SMS Spoofing

  • Malicious SMS spoofing campaign
  • Fake "Red Alert" Android app
  • Steals SMS, contacts & location
  • Uses cloud infrastructure for evasion
  • Poses digital & physical security risks
2 min read

Cybersecurity firm flags fake 'Red Alert' app spreading via SMS spoofing amid West Asia conflict

Cybersecurity firm CloudSEK warns of a malicious SMS campaign spreading a fake "Red Alert" app that steals SMS, contacts, and location data.

"real-time location tracking during active air raids could expose civilian movement patterns - CloudSEK"

New Delhi, March 3

AI-driven cybersecurity firm CloudSEK has uncovered a malicious SMS spoofing campaign distributing a trojanised version of Israel's official "Red Alert" emergency mobile application, exploiting public panic amid the ongoing Israel-Iran conflict.

According to the company, threat actors are spreading a fake Android app through targeted SMS phishing (smishing) messages that prompt users to sideload an APK file posing as an urgent wartime update.

The malicious app impersonates the official alert platform of Israel's Home Front Command and mirrors its interface while embedding spyware capabilities.

Unlike the legitimate app available on the Google Play Store, the trojanised version requests high-risk permissions, including access to SMS, contacts and precise location data, CloudSEK said.

Once installed, the malware can intercept entire SMS inboxes, harvest contact lists and continuously track GPS coordinates.

CloudSEK also noted that the malware uses advanced evasion techniques, including signature spoofing to mimic the original app's 2014 signing certificate and installer spoofing to appear as if it were downloaded from the Play Store.

The application dynamically loads hidden payloads and executes a multi-stage infection chain to bypass standard security checks.

During runtime analysis, researchers observed that the malware initiates background threads to monitor permission approvals.

Data collected from infected devices is staged locally and exfiltrated via HTTP POST requests to attacker-controlled infrastructure, including the domain api.ra-backup[.]com.

The campaign leverages cloud-hosted infrastructure, with IP addresses linked to AWS and Cloudflare services, making backend attribution more difficult.

CloudSEK warned that the spyware poses both digital and physical security risks. The firm noted that real-time location tracking during active air raids could expose civilian movement patterns, while SMS interception may allow attackers to bypass two-factor authentication and target high-value individuals.

The company advised users to avoid installing applications from unknown sources and to download emergency apps only from official app stores. For suspected infections, it recommended immediate device isolation and a full factory reset to prevent further data compromise.

- IANS

Share this article:

Reader Comments

R
Rohit P
Exploiting a war situation to spread malware is a new low. These hackers have no shame. Good job by CloudSEK for flagging this. Our own CERT-In should issue a public advisory for Indian citizens too.
A
Aman W
The technical details are scary – mimicking the 2014 certificate? That's sophisticated. Makes you wonder who is behind this. State actors maybe? This isn't just some random scam.
S
Sarah B
While the warning is crucial, the article's advice of a "full factory reset" is a bit extreme as a first step for the average user. Many people don't have their data backed up. A simpler guide on checking for malicious apps would be more helpful.
V
Vikram M
This is why digital literacy is so important in India. My parents would probably click on anything that says "urgent update". We need to educate our elders about these threats. Jago Grahak Jago, but for cyber safety!
K
Karthik V
Using AWS and Cloudflare... tracing will be nearly impossible. These services need better accountability. What if a similar fake app starts circulating in India during a crisis? Our infra is vulnerable too.

We welcome thoughtful discussions from our readers. Please keep comments respectful and on-topic.

Leave a Comment

Minimum 50 characters 0/50