Acronis’ Threat Research Unit has uncovered a targeted campaign aimed at Android users, utilizing a counterfeit version of Israel’s Red Alert rocket warning app to distribute spyware. This malicious software is disseminated through SMS messages that masquerade as official communications from the Home Front Command, urging recipients to download an “update” following a purported malfunction.
App mimicry
The fraudulent application is crafted to closely resemble a legitimate safety tool, maintaining the rocket alert functionality of the authentic Red Alert app. This design choice minimizes suspicion post-installation, as users continue to receive familiar notifications, thereby facilitating the spyware’s covert operations.
Once installed, the spyware begins to collect sensitive data, including SMS messages, contacts, location information, device accounts, and a list of installed applications. Researchers have termed this tactic “smishing,” a blend of SMS and phishing, where the bait is an emergency service update purportedly from the Home Front Command.
Bypassing checks
The investigation revealed that the malware employs sophisticated techniques to appear legitimately signed. It utilizes certificate spoofing and runtime manipulation to circumvent Android’s signature checks. Notably, the analyzed sample attempts to mimic a Google Play installation by spoofing the installer source and returning values typically associated with Google’s app marketplace.
To enhance its appearance of legitimacy, the malware is structured in two stages: a loader and a secondary component that executes the real alert application. The loader extracts the genuine app from within the package, prompting Android to run it while the spyware operates discreetly in the background.
Data theft
The spyware meticulously monitors user permissions. Once access to SMS is granted, it harvests messages, potentially compromising one-time passcodes used for authentication. Following the approval of contacts access, it collects names, phone numbers, and email addresses stored on the device.
Moreover, the malware tracks location data, allowing it to adjust its behavior based on the user’s geographical position. The research team noted that it can compare a victim’s location with predefined target areas, triggering specific actions based on distance. Additionally, it extracts a list of accounts on the device via Android’s account management functions and enumerates installed applications to create a comprehensive device profile.
Data collected by the spyware is staged locally before being transmitted to a remote command-and-control server. Acronis reported that the malware continuously exfiltrates information once it has been installed.
Infrastructure clues
The command-and-control infrastructure is hardcoded within the app and obscured through layered string encoding. The analysis identified the exfiltration endpoint hosted under the domain ra-backup[.]com, with submissions directed to an address under api[.]ra-backup[.]com. This domain, registered through Namecheap, appears to be relatively new.
At the time of analysis, the exfiltration path returned an error response, suggesting that the server might be gated by specific request requirements or could have been taken offline.
Possible attribution
Acronis has assessed that this campaign may be linked to the group known as Arid Viper, or APT-C-23. The indicators observed align with previous activities attributed to this group, including the deployment of trojanized Android applications, a focus on Israeli targets, and the implementation of spyware functionality. However, the report cautioned that these indicators are not unique and have been observed in other Android surveillance operations.
This activity reflects a broader pattern of cyber operations associated with regional tensions. Security researchers have noted a mix of hacktivist groups and operators aligned with nation-states, including reported distributed denial-of-service attacks and attempts to breach sensitive networks. The report referenced groups such as Handala and other actors linked to Iran’s Ministry of Intelligence and Security (MOIS) in recent years.
Risk reduction
In light of these findings, researchers advise users to download applications solely from official sources and to refrain from sideloading Android packages received through SMS links or shortened URLs. The legitimate Red Alert app is available on Google Play, and users should be wary of updates arriving via shortened links sent through text messages.
Acronis also recommends a thorough review of app permissions. Any application claiming to be Red Alert that requests access to SMS, contacts, location, or overlay functions should be regarded with suspicion. Users are encouraged to check for the package name com.red.alertx on potentially affected devices and to remove it if found. For confirmed infections, a factory reset is advised, along with changing credentials for accounts accessed from the compromised device.
“This campaign highlights how trusted emergency services can be weaponized during periods of geopolitical tension, combining social engineering with mobile espionage to exploit user trust and maximize impact,” said Subhajeet Singha, author at Acronis’ Threat Research Unit.
