Saturday, March 7, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Spyware disguised as emergency-alert app sent to Israeli smartphones

TH Author

Hamas-linked attackers are dropping spyware disguised as an emergency-alert app on Israelis’ smartphones via SMS messages, according to security researchers.

Acronis Threat Research Unit (TRU) analysts discovered the malicious app – a trojanized version of the Red Alert rocket app used by millions of Israelis – on March 1, after multiple citizens began reporting the scam on social media.

“At the moment there’s no way to know for sure what the scope or size is, or how many infections were successful,” TRU senior security researcher Eliad Kimhy told The Register. “The campaign is likely indiscriminate,” Kimhy added, noting the Israeli National Cyber Directorate and all major Israeli news sites have since released a warning about the phishing attack. This “further supports the theory that this is broadly indiscriminate.”

The threat researchers say the campaign may be linked to a Hamas-aligned cyberespionage group called Arid Viper (aka APT-C-23, Desert Falcons, or Two-tailed Scorpion) that has been active since at least 2013. This crew typically targets Israelis using surveillance malware for Android, iOS, and Windows systems.

This new campaign used SMS messages impersonating the official “Oref Alert” rocket warning service, distributed from spoofed sender IDs, and urged recipients to install an updated version of the emergency-alert app. The messages included a bit.ly shortened link – but instead of taking users to a legitimate Red Alert update, it redirected them to download spyware that collects and steals their information.

The malware’s developers used spoofed certificates and the app also spoofed the installer source, making the software appear to have been installed from Google Play. This allowed it to bypass Android security checks and appear to have been legitimately signed.

Analysis of the malware indicates that it requests 20 permissions. Of those, six are especially worrisome as they allow real-time access to a user’s precise GPS location, their SMS messages, contact lists, and accounts stored on the device. It also allows the operator to create phishing overlays on top of other applications on the phone, thus enabling attackers to intercept one-time passwords, credentials, and account numbers. Plus, the spying app maintains persistence on victims’ phones by automatically starting after device reboot.

All of this stolen data is staged locally and then continuously transmitted to the attackers’ remote command-and-control (C2) server.

“Periods of military escalation in the region are consistently accompanied by a rise in cyber operations, and previous conflicts involving Israel have repeatedly triggered campaigns by hacktivist and espionage-focused actors seeking to exploit the situation,” TRU lead security researcher Santiago Pontiroli told The Register

“Attackers frequently leverage wartime themes such as emergency alerts, missile warnings, or security updates as social engineering lures to distribute surveillance malware and collect sensitive information,” Pontiroli said. “Activity like this underscores how cyber operations increasingly serve as an intelligence-gathering layer that runs in parallel to kinetic conflict, enabling actors to monitor targets, map networks, and identify high-value individuals during periods of heightened geopolitical tension.” ®

READ MORE HERE