A recent targeted cyberattack is leveraging the trusted Red Alert rocket warning app to infect Israeli users with spyware.
Acronis Threat Research Unit (TRU) discovered the malicious campaign on March 1, 2026, when reports from Israeli citizens surfaced on social media about receiving SMS messages from spoofed official sources.
These messages contained links to a trojanized version of the Red Alert app, which is widely used in Israel to receive real-time missile and rocket alert notifications.
The attack demonstrates the evolving tactics of threat actors exploiting geopolitical events to target individuals with high-value data.
The malware first collects a range of sensitive information, including SMS messages, contact lists, GPS location, and accounts stored on the device.
By accessing permissions such as READ_SMS, ACCESS_FINE_LOCATION, and READ_CONTACTS, the malware gathers information critical for identity theft and further surveillance.
The spyware can even harvest one-time passwords (OTPs) and banking messages, making it a potent tool for credential theft.
A major feature of this attack is its use of a dual-stage architecture, in which the trojanized app serves as both a dropper and a loader.
The malware loads the legitimate Red Alert app from the device’s assets, making it appear to work normally while secretly running the spyware in the background.
This ensures the malware remains undetected, as the user is still receiving the usual alerts from the legitimate app.
One of the malware’s most significant evasion techniques is its use of a forged app signature. By dynamically modifying the app’s signature and impersonating Google Play, the malware bypasses basic Android security checks.
The use of an encrypted Command-and-Control (C2) infrastructure adds another layer of obfuscation, making it difficult for security systems to track the malware’s activities.
According to Acronis research, this campaign highlights the dangers of relying on trusted applications during periods of high tension, such as regional conflicts.
By embedding spyware within a trusted alert system, the attackers could effectively bypass security measures and gain access to sensitive data without raising suspicion.
The use of social engineering, obfuscation, and advanced evasion techniques underscores the growing sophistication of cyberattacks targeting civilian populations.
Organizations must extend their security measures beyond traditional defenses and be vigilant about the security of critical applications used by the public.
In particular, HR, government, and financial institutions should reinforce mobile device management (MDM) policies and ensure that employees and citizens are aware of the risks posed by malicious applications.
By combining behavioral detection and threat intelligence, organizations can better defend against these advanced, multi-layered attacks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Save my name, email, and website in this browser for the next time I comment.

Exclusive Cyber Security News platform that provide in-depth analysis about Cyber Attacks, Malware infection, Data breaches, Vulnerabilities, New researches & other Cyber stories.
Contact Us: [email protected]
© Copyright 2026 – Cyber Press

source