Using trending items as malicious lures is relatively common. Doing it during a military conflict and intentionally targeting users in affected areas is another step.
Recently, the genuine app RedAlert – Rocket Alerts has gained popularity among users in Israel and Gaza. Because it allows individuals to receive timely and accurate warnings about incoming air strikes. However, last week, a malicious and spoofed version of this app was detected and collected personal information such as contacts, call logs, SMS, account information, and summary of other installed apps.
The discovery of this incident and similar incidents unfortunately shows that cybercrime from the Israeli-Hamas conflict extends beyond state-state attacks on critical infrastructure and into the palm of the user’s hands.
first malicious app
Cloudflare discovered that the website hosting the malicious file was created on October 12th and has been offline since then. Only users who have installed the Android version of the app are affected and it is urgently recommended to remove the app.
Cloudflare said in a statement that it became aware of a website hosting a Google Android application that masqueraded as the legitimate RedAlert – Rocket Alerts application. “Given Israel’s current climate, this application relies heavily on individuals living in the country to be notified when it is important to seek safety,” the paper said.
According to a recent report from Arctic Wolf, creating malicious apps that impersonate known brands is common, and malicious apps found in official app stores have names and images similar to popular software or malware. , or are often disguised using descriptions. Free app. They may also create fake reviews to boost the reputation of malicious apps and make them appear more realistic.
But in this case, the malicious application stole data by imitating a widely used app, and Cloudflare said this was a “difficult time” for such services to respond to “threat actors.” “It’s another example of using credibility to convey information,” he added. Cancel shocking attacks. ”
Casey Ellis, founder and CTO of Bugcrowd, said he expects to see more cases like this where the Gaza conflict is used as a lure for malware, both regionally and globally.
“Attackers are always on the lookout for events that create fear, uncertainty, and a volatile information environment, and the Israeli-Hamas conflict certainly meets these criteria,” he said.
Cloudflare has been unable to add attribution to the person behind this malicious app, and there is no evidence that this is even a threat actor from the Middle East. Therefore, this could be the work of unrelated cybercriminals looking to exploit the conflict for their nefarious interests.
multiple incidents
In a separate detection, Cloudflare announced that the pro-Palestinian hacktivist group AnonGhost exploited a vulnerability in another application, Red Alert: Israel. This allowed the group to intercept requests, expose its servers and APIs, and send false warnings to some app users, including messages about an impending nuclear bomb attack.
In detecting the incident, Group-IB Threat Intelligence said: This indicates that attacker behavior can vary, as hacktivists are commonly associated with conducting small-scale DDoS attacks and defacements. However, as ongoing conflicts have shown, their actions can sometimes be far more destructive and costly, and it is important to map the risks of hacktivism as part of your threat intelligence program and Mitigation is essential.”
Krishna Vishnubhotla, vice president of product strategy at Zimperium, said mobile app spoofing is easy because many app teams mistakenly give threat actors the blueprint for exploitation.
He said, “While app teams focus on code optimization and speed to market, they do not ensure sufficient threat visibility and protection once the app is published. Threat actors We know this and use reverse engineering to truly understand the inner workings of an app.”
Vishnubhotla adds, “Hackers can easily create spoofed applications if they know the application’s architecture, data flows, and security mechanisms.”
Be careful when clicking
The advice to avoid falling victim to this type of attack is very simple. Arctic Wolf recommends checking the app’s developer and reviews and restricting permissions if necessary. Users should only download apps from reputable developers and check other users’ reviews to see if any scams or malicious activities are mentioned.
Advice from Group-IB is that “it is not uncommon for hacktivists to exploit web and mobile APIs, and they are often perceived as softer targets compared to core product APIs,” so organizations should The idea was to carefully explore and enhance web-enabled applications.
Ellis admits that his advice on protecting against malicious apps (that users should trust but verify) isn’t groundbreaking, but it’s here to stay. There is a reason.
“Double-check information that helps you resolve personal safety issues before relying on it, and triple-check before sharing it with others,” he says. He acknowledged that in this case, the malicious app may have been downloaded by concerned people and not given the full consideration it would normally receive.