Spyware disguised as emergency-alert app sent to Israelis • The Register
Spyware disguised as emergency-alert app sent to Israelis • The Register
https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
Publish Date: 2026-03-06 13:56:00
Source Domain: www.theregister.com
Hamas-linked attackers are dropping spyware disguised as an emergency-alert app on Israelis’ smartphones via SMS messages, according to security researchers.
Acronis Threat Research Unit (TRU) analysts discovered the malicious app – a trojanized version of the Red Alert rocket app used by millions of Israelis – on March 1, after multiple citizens began reporting the scam on social media.
“At the moment there’s no way to know for sure what the scope or size is, or how many infections were successful,” TRU senior security researcher Eliad Kimhy told The Register. “The campaign is likely indiscriminate,” Kimhy added, noting the Israeli National Cyber Directorate and all major Israeli news sites have since released a warning about the phishing attack. This “further supports the theory that this is broadly indiscriminate.”
The threat researchers say the campaign may be linked to a Hamas-aligned cyberespionage group called Arid Viper (aka APT-C-23, Desert Falcons, or Two-tailed Scorpion) that has been active since at least 2013. This crew typically targets Israelis using surveillance malware for Android, iOS, and Windows systems.
This new campaign used SMS messages impersonating the official “Oref Alert” rocket warning service, distributed from spoofed sender IDs, and urged recipients to install an updated version of the emergency-alert app. The messages included a bit.ly shortened link – but instead of taking users to a legitimate Red Alert update, it redirected them to download spyware that collects and steals their information.
The malware’s developers used spoofed certificates and the app also spoofed the installer source, making the software appear to have been installed from Google Play. This allowed it to bypass Android security checks and appear to have been legitimately signed.
Analysis of the malware indicates that it requests 20…
