Fake Red Alert app used in Android spyware smishing

Acronis' Threat Research Unit has identified a targeted Android spyware campaign that uses a fake version of Israel's Red Alert rocket warning app. The malware is spread via SMS messages that impersonate official Home Front Command communications.

Attackers distribute a trojanised Android app package outside official app stores. The texts urge recipients to install an "update" after an alleged malfunction. They use spoofed sender identities and include shortened links that redirect to a download.

Red Alert, known in Israel as "צבע אדום", is widely used for real-time missile and rocket notifications. The campaign exploits the expectation that emergency alert apps may need rapid updates during conflict. Similar SMS messages also circulated on social media among Israeli citizens, according to the researchers.

App mimicry

The malicious app is designed to look and behave like a legitimate safety tool. It retains the rocket alert functionality of the genuine Red Alert application, reducing suspicion after installation because users still receive familiar notifications.

Behind the visible alert features, the app runs spyware. After a victim grants permissions during setup and use, it begins collecting data, including SMS messages, contacts, location information, device accounts, and a list of installed applications.

Researchers described the activity as "smishing", which uses SMS messages for phishing. Here, the lure is an emergency service update delivered through a message claiming to come from the Home Front Command.

Bypassing checks

The investigation found techniques intended to make the app appear legitimately signed. The malware uses certificate spoofing and runtime manipulation to bypass Android signature checks, Acronis reported.

The analysed sample also tries to appear as if it came from Google Play by spoofing the installer source and returning values associated with Google's app marketplace.

To reinforce legitimacy, the malware uses a two-stage structure: a loader and a second component that runs the real alert application. The loader extracts the legitimate app from within the package and forces Android to execute it, while the spyware continues running in the background.

Data theft

The spyware monitors whether the user grants permissions. Once SMS access is approved, it harvests messages, potentially exposing one-time passcodes used for authentication. After contacts access is granted, it collects names, phone numbers, and email addresses stored on the device.

The malware also gathers location information and can use it to control behaviour. The sample compares a victim's location with a configured target area and triggers actions based on distance, the research team said. It also extracts a list of accounts on the device using Android account management functions and enumerates installed applications to profile the device.

Collected data is staged locally and then transmitted to a remote command-and-control server. Acronis said the malware continuously exfiltrates information once installed.

Infrastructure clues

The command-and-control infrastructure is hardcoded in the app and obscured using layered string encoding, researchers said. The exfiltration endpoint identified in the analysis was hosted under the domain ra-backup[.]com, with submissions sent to an address under api[.]ra-backup[.]com.

The domain was registered through Namecheap and appears to be relatively new infrastructure, the report said. At the time of analysis, the exfiltration path returned an error response, which could indicate the server was gated by specific request requirements or had been taken down.

Possible attribution

Acronis assessed the campaign may be linked to Arid Viper, also known as APT-C-23. Indicators were consistent with previous activity associated with the group, including the use of trojanised Android apps, a focus on Israeli targets, and spyware functionality. However, the report noted the indicators are not unique and have appeared in other Android surveillance operations.

The activity fits a broader pattern of cyber operations tied to regional tensions. Security researchers have tracked a mix of hacktivist groups and operators aligned with nation states, including claimed distributed denial-of-service attacks and attempted intrusions into sensitive networks. The report referenced groups such as Handala and other actors linked to Iran's MOIS in recent years.

Risk reduction

Researchers advised users to install apps only from official sources and avoid sideloading Android packages delivered through SMS links or shortened URLs. They noted the legitimate Red Alert app is available through Google Play and that updates should not arrive via shortened links sent by text message.

Acronis also recommended reviewing permissions closely. An app claiming to be Red Alert that requests access to SMS, contacts, location, or overlay functions should be treated as suspicious. The report suggested checking potentially affected devices for the package name com.red.alertx and removing it. It also recommended a factory reset for confirmed infections and changing credentials for accounts accessed from an infected phone.

"This campaign highlights how trusted emergency services can be weaponized during periods of geopolitical tension, combining social engineering with mobile espionage to exploit user trust and maximize impact," said Subhajeet Singha, author at Acronis' Threat Research Unit.