Bogus ‘RedAlert’ Missile Warning App Installs Spyware on Android Devices

    Malicious Version of ‘RedAlert – Rocket Alerts’ App Targets Israeli Android Users

    A fake version of the ‘RedAlert – Rocket Alerts’ app is posing as spyware, targeting Israeli Android users. The legitimate open-source app is widely used by Israeli citizens to receive notifications about incoming rockets targeting the country. With the recent increase in rocket attacks by Hamas terrorists, the app’s popularity has surged as people seek timely warnings about airstrikes in their area.

    Hackers, whose motives and origins remain unknown, have taken advantage of the app’s increased demand and the fear surrounding the attacks. They are distributing a malicious version of the app through the website “redalerts[.]me,” which was created on October 12, 2023. The website offers two download buttons for the iOS and Android platforms. While the iOS button redirects users to the legitimate project’s page on the Apple App Store, the Android button directly downloads an APK file for installation.

    The downloaded APK appears to be genuine as it utilizes the legitimate code of the real RedAlert app, providing the promised functionality of a rocket alert tool. However, upon installation, the app requests additional permissions from users that it then exploits to collect various data such as contacts, numbers, SMS content, installed software, call logs, phone IMEI, and more. The app encrypts this data using AES in CBC mode and uploads it to a predetermined IP address.

    To ensure the app evades detection, it incorporates anti-debugging, anti-emulation, and anti-test mechanisms that protect it from researchers and code-reviewing tools.

    At the time of writing, the fake website is offline. However, it is likely that the threat actors will relocate to a new domain after their operation’s exposure. To differentiate between the genuine and compromised versions, users can review the app’s requested permissions during installation or access them if the app is already installed. By long-pressing the app’s icon, selecting ‘App info,’ and tapping ‘Permissions,’ users can check the permissions granted to the app.

    It is also worth noting that there have been reported cases of hijacks on the genuine RedAlert app, with hacktivists exploiting API flaws to send fake notifications to users. To minimize the risk of such incidents, users should ensure they are using the latest version of the app, which includes all available security fixes.

    In summary, Israeli Android users need to be cautious of the malicious version of the ‘RedAlert – Rocket Alerts’ app circulating through the website “redalerts[.]me.” Verifying app permissions and keeping the app updated with the latest security patches can help mitigate potential risks.

    Latest articles

    Related articles