RedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command
A malicious SMS spoofing campaign is spreading a fake version of Israel's 'Red Alert' emergency app amid ongoing conflict. The trojanized Android app, disguised as a trusted warning platform, can steal SMS, contacts, and location data while appearing legitimate. The campaign exploits public fear during crises to deploy mobile spyware. The malware uses sophisticated techniques to bypass security checks, including package manager hooking and dynamic payload loading. It mirrors the official app's interface but requests high-risk permissions. The malware continuously tracks GPS coordinates and exfiltrates data to attacker-controlled infrastructure, posing severe strategic and physical security risks. This campaign erodes trust in emergency response systems and could potentially be used for targeted attacks or to optimize missile targeting.
AI Analysis
Technical Summary
This threat is a sophisticated Android malware campaign distributing a trojanized version of Israel's 'Red Alert' emergency alert app. The attackers use SMS spoofing to impersonate messages from the Israeli Home Front Command, tricking users into installing the fake app during a time of heightened crisis and fear. The malicious app closely mimics the official app's user interface to avoid suspicion but requests extensive permissions that enable it to steal SMS messages, contacts, and continuously track GPS location data. It employs advanced evasion techniques including hooking into the Android package manager to hide its presence and dynamically loading payloads to bypass static and dynamic security checks. The stolen data is exfiltrated to attacker-controlled infrastructure via specific domains and URLs identified in the indicators. The continuous GPS tracking and data theft pose severe strategic risks, potentially enabling adversaries to optimize missile targeting or conduct targeted attacks. The campaign undermines public trust in emergency alert systems, which could have cascading effects on civilian safety and national security. While no known exploits in the wild have been reported, the malware's capabilities and context of deployment during an ongoing conflict elevate its threat level. The campaign is linked to geopolitical tensions between Israel and Iran, suggesting a state or state-affiliated actor may be involved. The malware's hashes and command-and-control infrastructure are documented for detection and blocking.
Potential Impact
The impact of this campaign is multifaceted and severe. For individuals, it results in loss of privacy through theft of SMS messages, contacts, and continuous location tracking. For organizations, especially government and emergency response agencies, it erodes trust in critical public safety infrastructure, potentially leading to reduced compliance with legitimate alerts. Strategically, the exfiltrated GPS and communication data can be used to optimize missile targeting or conduct precision attacks, increasing physical security risks. The campaign could disrupt emergency response coordination and civilian safety during crises. The malware's ability to evade detection complicates incident response and forensic investigations. The broader geopolitical implications include escalation of conflict and destabilization of regional security. The campaign's focus on Israeli users makes Israel the primary target, but spillover effects could affect neighboring countries and allied organizations. The erosion of trust in emergency systems could have long-term societal impacts beyond the immediate technical damage.
Mitigation Recommendations
1. Educate users to only download the official Red Alert app from trusted sources such as the Google Play Store or official government websites, and to be wary of SMS messages claiming to be from the Home Front Command that include app download links. 2. Implement mobile device management (MDM) solutions in organizational environments to restrict installation of apps from unknown sources and enforce app whitelisting. 3. Use mobile threat defense (MTD) tools capable of detecting package manager hooking and dynamic payload loading behaviors indicative of this malware. 4. Monitor network traffic for connections to known malicious domains such as api.ra-backup.com and block these at network perimeter devices. 5. Employ endpoint detection and response (EDR) solutions on Android devices that can detect suspicious permission requests and anomalous GPS tracking activities. 6. Conduct regular threat intelligence updates incorporating the provided malware hashes and URLs to enable timely detection and blocking. 7. Coordinate with national cybersecurity agencies to disseminate alerts and guidance to the public during conflict periods to reduce the effectiveness of social engineering. 8. Encourage users to verify emergency alerts through official channels and report suspicious messages or apps immediately. 9. For organizations, implement layered security controls including network segmentation and strict access controls to limit data exposure if a device is compromised. 10. Regularly audit and update incident response plans to include scenarios involving mobile spyware and misinformation campaigns.
Affected Countries
Israel, Iran, United States, United Kingdom, Germany, France, Canada, Australia
Indicators of Compromise
- hash: 9c6c67344fecd8ff8dbbee877aad7efc
- hash: 83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72
- url: https://api.ra-backup.com/analytics/submit.php
- domain: api.ra-backup.com
- url: https://www.shirideitch.com/wp-content/uploads/2022/06/RedAlert.apk
RedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command
Description
A malicious SMS spoofing campaign is spreading a fake version of Israel's 'Red Alert' emergency app amid ongoing conflict. The trojanized Android app, disguised as a trusted warning platform, can steal SMS, contacts, and location data while appearing legitimate. The campaign exploits public fear during crises to deploy mobile spyware. The malware uses sophisticated techniques to bypass security checks, including package manager hooking and dynamic payload loading. It mirrors the official app's interface but requests high-risk permissions. The malware continuously tracks GPS coordinates and exfiltrates data to attacker-controlled infrastructure, posing severe strategic and physical security risks. This campaign erodes trust in emergency response systems and could potentially be used for targeted attacks or to optimize missile targeting.
AI-Powered Analysis
Technical Analysis
This threat is a sophisticated Android malware campaign distributing a trojanized version of Israel's 'Red Alert' emergency alert app. The attackers use SMS spoofing to impersonate messages from the Israeli Home Front Command, tricking users into installing the fake app during a time of heightened crisis and fear. The malicious app closely mimics the official app's user interface to avoid suspicion but requests extensive permissions that enable it to steal SMS messages, contacts, and continuously track GPS location data. It employs advanced evasion techniques including hooking into the Android package manager to hide its presence and dynamically loading payloads to bypass static and dynamic security checks. The stolen data is exfiltrated to attacker-controlled infrastructure via specific domains and URLs identified in the indicators. The continuous GPS tracking and data theft pose severe strategic risks, potentially enabling adversaries to optimize missile targeting or conduct targeted attacks. The campaign undermines public trust in emergency alert systems, which could have cascading effects on civilian safety and national security. While no known exploits in the wild have been reported, the malware's capabilities and context of deployment during an ongoing conflict elevate its threat level. The campaign is linked to geopolitical tensions between Israel and Iran, suggesting a state or state-affiliated actor may be involved. The malware's hashes and command-and-control infrastructure are documented for detection and blocking.
Potential Impact
The impact of this campaign is multifaceted and severe. For individuals, it results in loss of privacy through theft of SMS messages, contacts, and continuous location tracking. For organizations, especially government and emergency response agencies, it erodes trust in critical public safety infrastructure, potentially leading to reduced compliance with legitimate alerts. Strategically, the exfiltrated GPS and communication data can be used to optimize missile targeting or conduct precision attacks, increasing physical security risks. The campaign could disrupt emergency response coordination and civilian safety during crises. The malware's ability to evade detection complicates incident response and forensic investigations. The broader geopolitical implications include escalation of conflict and destabilization of regional security. The campaign's focus on Israeli users makes Israel the primary target, but spillover effects could affect neighboring countries and allied organizations. The erosion of trust in emergency systems could have long-term societal impacts beyond the immediate technical damage.
Mitigation Recommendations
1. Educate users to only download the official Red Alert app from trusted sources such as the Google Play Store or official government websites, and to be wary of SMS messages claiming to be from the Home Front Command that include app download links. 2. Implement mobile device management (MDM) solutions in organizational environments to restrict installation of apps from unknown sources and enforce app whitelisting. 3. Use mobile threat defense (MTD) tools capable of detecting package manager hooking and dynamic payload loading behaviors indicative of this malware. 4. Monitor network traffic for connections to known malicious domains such as api.ra-backup.com and block these at network perimeter devices. 5. Employ endpoint detection and response (EDR) solutions on Android devices that can detect suspicious permission requests and anomalous GPS tracking activities. 6. Conduct regular threat intelligence updates incorporating the provided malware hashes and URLs to enable timely detection and blocking. 7. Coordinate with national cybersecurity agencies to disseminate alerts and guidance to the public during conflict periods to reduce the effectiveness of social engineering. 8. Encourage users to verify emergency alerts through official channels and report suspicious messages or apps immediately. 9. For organizations, implement layered security controls including network segmentation and strict access controls to limit data exposure if a device is compromised. 10. Regularly audit and update incident response plans to include scenarios involving mobile spyware and misinformation campaigns.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cloudsek.com/blog/redalert-trojan-campaign-fake-emergency-alert-app-spread-via-sms-spoofing-israeli-home-front-command"]
- Adversary
- null
- Pulse Id
- 69a7014c0919cca0bf0d6d59
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash9c6c67344fecd8ff8dbbee877aad7efc | — | |
hash83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://api.ra-backup.com/analytics/submit.php | — | |
urlhttps://www.shirideitch.com/wp-content/uploads/2022/06/RedAlert.apk | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainapi.ra-backup.com | — |
Threat ID: 69a71422d1a09e29cb5de9e4
Added to database: 3/3/2026, 5:02:26 PM
Last enriched: 3/3/2026, 5:17:36 PM
Last updated: 3/4/2026, 8:13:28 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-03-03
MediumDust Specter APT Targets Government Officials in Iraq
MediumFunnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks
MediumSloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh
MediumThreat Brief: March 2026 Escalation of Cyber Risk Related to Iran
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.