A sophisticated mobile espionage campaign has weaponized Israel’s official ‘Red Alert’ app by distributing a malicious version to civilians during the Israel-Iran conflict, turning a life-saving tool into a surveillance mechanism. The fake app, named RedAlert.apk, was sent via SMS phishing messages impersonating Israel’s Home Front Command, tricking users into installing it outside the Google Play Store.

Exploiting Panic in Wartime

The RedAlert campaign exploited the fear and urgency of active conflict, using the legitimate emergency app’s name to distribute a malicious version. The app’s interface was identical to the official one, making it nearly impossible for users to detect the threat.

According to CloudSEK analysts, the fake app was designed to bypass Android’s built-in security features by forcing users to sideload the APK. This method allowed the malware to avoid detection by standard security protocols.

The attackers used SMS phishing messages that appeared to be urgent wartime updates, urging users to download the app immediately. The real app is only available on Google Play, so the campaign required users to install the malicious APK directly, a process that typically raises security red flags.

Stealthy Data Harvesting and Surveillance

Once installed, the fake app requested high-risk permissions, including access to SMS, contacts, and GPS location. These permissions were framed as necessary for the app’s emergency alert functions, but in reality, they enabled data collection and surveillance.

CloudSEK’s analysis revealed that the malware harvests data locally before transmitting it to attacker-controlled servers through HTTP POST requests. The attackers could track users’ GPS coordinates during active air raids, potentially mapping shelter locations or identifying military reservists.

Intercepting SMS inboxes also allowed adversaries to bypass two-factor authentication and conduct disinformation campaigns. CloudSEK classified the campaign as a severe strategic and physical security threat, not just a conventional spyware incident.

Three-Stage Infection Chain

The technical design of the RedAlert.apk revealed a multi-stage infection chain built to remain hidden from both users and security tools. In Stage 1, the outer APK shell used a technique called Package Manager Hooking to intercept system calls, returning a hardcoded certificate that impersonated the official app’s credentials.

Stage 2 extracted a hidden file named ‘umgdn’ from the APK’s assets directory and loaded it into memory as a Dalvik Executable, bypassing static security scanners. Stage 3 deployed the final payload, DebugProbesKt.dex, which activated the full spyware suite and established communication with attacker-controlled servers.

CloudSEK warned users to immediately remove the fake app and perform a factory reset to avoid data retention. Network administrators were advised to block all DNS and HTTPS traffic to specific IP addresses and implement strict mobile device management policies.

Organizations were urged to issue advisories about conflict-themed smishing attacks, particularly those tied to the Israel-Iran crisis. The campaign highlights the growing risk of cyber threats exploiting geopolitical tensions to target civilians.