A new mobile espionage campaign exploiting civilian fears during the ongoing Israel-Iran conflict has been identified, with attackers distributing a trojanized version of Israel's official Red Alert rocket warning app through SMS phishing.

The malicious operation, discovered by CloudSEK and dubbed RedAlert, bypasses the Google Play Store and instead lures victims into sideloading a fake update that closely imitates the legitimate application from the Israel Defense Forces Home Front Command.

The fraudulent app mimics the authentic interface and continues to deliver real rocket alerts, while a surveillance payload runs in the background.

Unlike the official version, which requires only notification access, the weaponized variant aggressively requests high-risk permissions, including access to SMS messages, contacts and precise GPS location data.

Researchers said the malware uses sophisticated anti-detection techniques. It spoofs the original app's 2014 signing certificate and falsifies installation data to appear as though it was downloaded from the Play Store.

By manipulating Android's internal package manager through reflection and proxy hooks, the software avoids standard integrity checks and conceals secondary payloads embedded within the application.

Multi-Stage Infection Chain

The infection process unfolds in three stages:

An initial loader that cloaks the application and extracts hidden assets A dynamically loaded intermediate payload stored as an internal file A final executable component that activates spyware capabilities and command-and-control communication

Once active, the malware continuously monitors permission changes. The moment a user grants access to a single sensitive feature, data harvesting begins. Stolen information, including entire SMS inboxes, contact lists and real-time location coordinates, is staged locally before being transmitted to attacker-controlled servers via repeated HTTP POST requests.

Strategic And Physical Security Risks

Network analysis linked outbound traffic to infrastructure hosted on AWS and proxied through Cloudflare, obscuring the operators' backend systems. The command-and-control (C2) endpoint api.ra-backup[.]com was observed receiving exfiltrated data.

The CloudSEK researchers warned that the campaign poses more than a conventional cyber risk. Continuous GPS tracking during active air raids could expose civilian shelter locations or track the movement of military reservists. Intercepted SMS messages may also enable attackers to bypass two-factor authentication (2FA) or conduct targeted psychological operations.

Beyond espionage, the operation threatens public trust. By hijacking the branding of a critical emergency application, the campaign risks undermining confidence in official alert systems at a time when civilians depend on them most.

Security teams recommend immediate device isolation, revocation of administrative privileges and, in most cases, a full factory reset to remove the malware. Network administrators are urged to block known malicious domains and restrict sideloaded applications through mobile device management policies.