RedAlert Mobile Espionage Campaign Targets Civilians with Trojanized Rocket Alert App for Surveillance

War zones have always been hunting grounds for opportunistic attackers, but the RedAlert mobile espionage campaign marks one of the most calculated examples of weaponizing civilian fear.

Against the backdrop of the ongoing Israel-Iran kinetic conflict, threat actors crafted a trojanized version of Israel’s official “Red Alert” emergency app — a life-saving tool civilians depend on during rocket attacks — and turned it into a covert surveillance engine.

The fake app, distributed as a malicious Android package named RedAlert.apk, reached victims through SMS phishing messages impersonating Israel’s Home Front Command, tricking them into installing it outside the Google Play Store.​

The delivery method was designed to sidestep normal security behavior. Attackers sent smishing messages urging recipients to download what appeared to be an urgent wartime update for the legitimate Red Alert application.

Since the real app is exclusively available on the Google Play Store, this campaign forced victims to sideload the malicious APK, bypassing Android’s built-in installation protections.

The panic of war gave people little reason to pause, and once installed, the fake app displayed a fully working alert interface identical to the official one, giving victims no visual reason to suspect anything was wrong.​

CloudSEK analysts identified this campaign through static and dynamic reverse engineering of the APK, uncovering a layered infection mechanism built to evade detection while silently harvesting sensitive data.

Beneath its convincing interface, the malware aggressively requested high-risk permissions — SMS access, contacts, and precise GPS location — framing them as routine requirements for the app’s emergency alert functions.

Once a single permission was granted, the associated data collection module activated immediately.

Harvested data was staged locally before being transmitted to attacker-controlled servers through HTTP POST requests directed at https://api[.]ra-backup[.]com/analytics/submit.php.​

The real-world consequences extend well beyond typical data theft. By continuously tracking the GPS coordinates of infected devices during active air raids, attackers gained intelligence on civilian movement — data that could map shelter locations, trace displaced populations, or identify concentrations of military reservists.

Intercepting the full SMS inbox also gave adversaries a path to bypass two-factor authentication and conduct targeted disinformation operations.

CloudSEK’s assessment classified this campaign as a severe strategic and physical security threat, not a conventional spyware incident.​

Inside the Three-Stage Infection Chain

The technical design behind RedAlert.apk reveals a deliberate multi-stage payload built to remain hidden from both users and security tools. 

In Stage 1, the outer APK shell operates as a cloaking device. Using a technique called Package Manager Hooking, the malware leverages Java reflection to intercept system calls that would normally expose its true signing certificate.

Instead, it returns a hardcoded certificate impersonating the official Home Front Command app’s 2014 credential — a SHA256withRSA, RSA 2048-bit certificate issued by an Israeli entity.

It also forces the system to report the app as installed from the Google Play Store, even though the victim sideloaded it. 

Stage 2 extracts a hidden file named “umgdn” — stored without a file extension inside the APK’s assets directory — and loads it into memory as a Dalvik Executable, shifting execution out of reach of static security scanners.

Stage 3 then deploys the final payload, DebugProbesKt.dex, which activates the full spyware suite and establishes command-and-control communication with attacker infrastructure.​

Users who suspect infection should immediately remove the fake RedAlert app and perform a complete factory reset, avoiding any backup restoration created after the initial infection date.

Network administrators should block all DNS and HTTPS traffic to api.ra-backup[.]com and blacklist identified C2 IP addresses, particularly 216.45.58[.]148.

Mobile Device Management policies must prohibit app sideloading from unknown sources. Security teams should also flag any application that simultaneously holds READ_SMS, READ_CONTACTS, and ACCESS_FINE_LOCATION permissions.

Organizations should issue immediate advisories warning personnel about conflict-themed smishing attacks tied to the Israel-Iran crisis.​

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post RedAlert Mobile Espionage Campaign Targets Civilians with Trojanized Rocket Alert App for Surveillance appeared first on Cyber Security News.