Android users in Israel are being targeted by a malicious version of the “RedAlert – Rocket Alerts” app that operates as spyware in the background while still delivering the promised functionality.
RedAlert – Rocket Alerts is a legal open source app used by Israeli citizens to receive notifications of incoming rockets targeting the country. This app is very popular and has been downloaded more than 1 million times on Google Play.
Interest in the app comes as people seek timely warnings about airstrikes on their areas after Hamas terrorists launched an attack last week in southern Israel, firing thousands of rockets. has increased explosively.
According to Cloudflare, hackers with unknown motives and origins are taking advantage of increased interest in the app and fear of attack to distribute fake versions that install spyware.
This malicious version is distributed by the website “redalerts”.[.]me” was created on October 12, 2023 and contains two buttons to download the app for iOS and Android platforms.
The iOS download redirects the user to the official project’s page in the Apple App Store, while the Android button directly downloads the APK file to be installed on the device.
spyware warning
The downloaded APK uses the genuine code of the real RedAlert app, so it includes all the usual features and looks like a genuine Rocket Alert tool.
However, Cloudflare discovered that the application was requesting additional permissions from the victim. This includes access to users’ contacts, phone numbers, SMS content, list of installed software, call logs, phone’s IMEI, logged-in email and app accounts, etc.
Upon launch, the app exploits these permissions to start a background service that collects data, encrypts it with AES in CBC mode, and uploads it to a hardcoded IP address.
The app also includes anti-debugging, anti-emulation, and anti-testing mechanisms to protect your app from researchers and code review tools.
RedAlert safety tips
As of this writing, the fake site is offline. However, attackers may relocate to new domains after their activities are exposed.
An easy way to tell the real version from the tethered version is to see what permissions the app requests upon installation, or which permissions it has access to if it’s already installed on your device.
To check this, long-press the app icon, select App Info, and tap Permissions.
Also, report in the case of hijack In the actual RedAlert app, hacktivists exploit flaws in the API to push fake notifications to users.
To minimize the possibility of such incidents, make sure you are using the latest app version with all available security fixes.