Acronis Threat Research Unit (TRU) has identified a targeted smishing campaign distributing a trojanized version of Israel’s Red Alert rocket warning Android app to Israeli users through SMS messages impersonating official Home Front Command alerts. The malicious app maintains full legitimate rocket alert functionality to evade suspicion while secretly harvesting sensitive data like SMS messages, contacts, location, device accounts and installed apps in the background.
TRU researchers discovered the campaign on March 1, 2026, amid reports from Israeli citizens of spoofed “Oref Alert” SMS with bit.ly links claiming app malfunctions. The APK employs a dual-stage loader that spoofs IPackageManager signatures via proxy hooks, extracts a legitimate app from assets (umgdn) for cover execution, and requests dangerous permissions. It dumps SMS databases on permission grant, extracts contacts with phones, emails, tracks GPS with geofencing logic, harvests accounts via reflection, enumerates apps in JSON batches of 200 for exfiltration to C2 using randomised names and anti-analysis tricks.
The malware’s evasion includes forging signatures to mimic Google Play installs, overriding Android runtime fields for persistence, and conditional behaviors based on location proximity. Obfuscation layers and dynamic method invocation hinder detection, enabling the collection of OTPs, credentials and profiles during conflict tensions.
To mitigate this, Acronis urges users to download apps exclusively from Google Play, avoid clicking urgent SMS links, carefully review all requested permissions, and scan devices for the com.red.alertx package. Immediately block domains like ra-backup.com, rotate any potentially compromised credentials, enable Google Play Protect, and report incidents to CERT-IL. Organisations must implement mobile device management, network traffic filtering, and mandatory cybersecurity awareness training to prevent similar attacks.
For more information about the report and its findings with additional insights, visit the blog.
