The bottom line: Attackers are distributing a weaponized version of Israel's official Red Alert rocket warning app through SMS phishing. The fake app looks identical to the real one and even delivers genuine rocket alerts. But in the background, it's harvesting SMS messages, contact lists, and real-time GPS coordinates—potentially exposing civilian shelter locations and military reservist movements during active air raids.

How the Attack Works

On March 3, 2026, security researchers at CloudSEK published their findings on a mobile espionage campaign targeting Israeli civilians [1].

The attack starts with an SMS that appears to come from the Israel Defense Forces Home Front Command—the official source for emergency alerts. The message urges recipients to install an "updated" version of the Red Alert app, with a download link bypassing the Google Play Store.

The trick is clever: the app actually works. It connects to the real alert infrastructure and delivers genuine rocket warnings. Victims have no reason to suspect anything's wrong.

But underneath the functional facade, three layers of spyware are loading:

  1. Initial loader: Cloaks the app and extracts hidden components from an embedded file called "umgdn"
  2. Intermediate payload: Dynamically loads from internal files
  3. Core spyware (DebugProbesKt.dex): Establishes command-and-control communication and activates surveillance functions

What the Spyware Steals

Once installed, the malicious app "aggressively prompts the victim for high-risk system permissions," according to CloudSEK's analysis [2]. If granted, it harvests:

  • Complete SMS inbox: Every text message, including two-factor authentication codes
  • Full contact list: Names, phone numbers, email addresses—your entire social network
  • Live GPS coordinates: Continuous location tracking, even during air raids
  • Device metadata: Phone model, OS version, installed apps

The data flows to attacker-controlled servers via HTTP POST requests to api.ra-backup[.]com/analytics/submit.php. The infrastructure runs through AWS and Cloudflare—legitimate services being abused for espionage.

Why GPS Tracking During Air Raids Is Terrifying

Think about what real-time GPS data reveals during active conflict:

  • Where civilians shelter when rockets are incoming
  • Movement patterns of military reservists returning to units
  • Which buildings fill with people during attacks
  • Response times and evacuation routes

That's intelligence for targeting. Not abstract "data collection"—actual coordinates of where people hide when bombs fall.

The SMS harvesting is also dangerous. With two-factor authentication codes, attackers can hijack bank accounts, email, social media—any service tied to that phone number.

How It Evades Detection

The malware uses several techniques to look legitimate:

  • Signature spoofing: Intercepts calls to Android's package verification and returns a hardcoded 2014-era certificate—the same one the real Red Alert app used years ago
  • Installer spoofing: Reports "com.android.vending" (Google Play Store) as the installation source, hiding the fact it was sideloaded
  • Real functionality: Connects to legitimate alert infrastructure so victims receive actual rocket warnings
  • Reflection and hooking: Uses Java reflection to manipulate internal Android components without triggering standard security checks

The package name is com.red.alertx—close enough to seem official at a glance [3].

Distribution Methods

CloudSEK identified several distribution channels:

  • SMS messages spoofing the Israel Home Front Command
  • Malicious download links including shirideitch[.]com/wp-content/uploads/2022/06/RedAlert[.]apk
  • URL shorteners: bit[.]ly/3Ozydsn, bit[.]ly/2O3fHEX, bit[.]ly/3GfZoys

The URLs suggest attackers compromised legitimate websites to host the malware—a standard tactic that makes blocking harder.

Who's Behind It?

CloudSEK doesn't name a specific threat actor, but the targeting and timing point toward state-level capability [1].

The campaign "exploits heightened civilian panic surrounding the current Israel-Iran kinetic conflict." That's not opportunistic crime—that's weaponizing geopolitical crises for intelligence collection.

The sophistication of the evasion techniques and the choice of targets (civilians in an active conflict zone) suggest this isn't a cybercrime operation looking for bank accounts. This is espionage.

How to Protect Yourself

If you installed a Red Alert app from anywhere other than Google Play:

  1. Disconnect from the internet immediately
  2. Check the package name in Settings → Apps. The malicious version uses com.red.alertx
  3. If infected: factory reset is safer than just uninstalling. The malware has multiple persistence layers
  4. Change passwords for any accounts with SMS-based 2FA
  5. Monitor for unauthorized account access

Going forward:

  • Only install apps from official stores
  • Be suspicious of SMS messages urging app updates—even from "official" sources
  • Check app permissions. A rocket alert app shouldn't need SMS access
  • Consider using an authenticator app instead of SMS for 2FA

Indicators of Compromise

For security teams:

  • Package name: com.red.alertx
  • MD5: 9c6c67344fecd8ff8dbbee877aad7efc
  • SHA256: 83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72
  • C2 domain: api.ra-backup[.]com
  • C2 IPs: 216.45.58.148, 44.208.242.141, 44.200.176.254, 104.21.64.137, 172.67.137.156

Sources

  1. CloudSEK - RedAlert Trojan Campaign Analysis
  2. Infosecurity Magazine - RedAlert Spyware Campaign
  3. Cybersecurity News - RedAlert Mobile Espionage Campaign

Published: March 6, 2026