Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malware-laced ‘RedAlert – Rocket Alerts’ app targets Israeli users 

Threat actors are targeting Israeli Android users with a malicious version of the ‘RedAlert – Rocket Alerts’ that hide spyware. A threat actor is targeting Israeli Android users with a spyware-laced version of the ‘RedAlert – Rocket Alerts’ app, Cloudflare warns. RedAlert – Rocket Alerts is a mobile app that provides real-time alerts about incoming […]

RedAlert spyware

Threat actors are targeting Israeli Android users with a malicious version of the ‘RedAlert – Rocket Alerts’ that hide spyware.

A threat actor is targeting Israeli Android users with a spyware-laced version of the ‘RedAlert – Rocket Alerts’ app, Cloudflare warns.

RedAlert – Rocket Alerts is a mobile app that provides real-time alerts about incoming rocket attacks in Israel. It is developed by a team of volunteers and is based on real-time data provided by the Home Front Command (Pikud Haoref). The app is highly popular, with over a million downloads on Google Play.

In the wake of the Israel-Gaza conflict, more than 5,000 rockets have been launched into Israel since the attacks from Hamas began on October 7th 2023. For this reason, the RedAlert – Rocket Alerts app is a valuable tool for Israeli citizens because it provides them precise alerts about incoming airstrikes.

The legitimate app is available on Google Play and has over a million downloads on

On October 13, 2023, Cloudflare’s Cloudforce One Threat Operations Team discovered a website hosting a malware-laced version of RedAlert – Rocket Alerts application. 

The website hxxps://redalerts[.]me was created on October 12, 2023, the domain differs from the legitimate website by only one letter (‘s’).

The domain displays two buttons to download the app, respectively, for the iOS and Android mobile OSs. 

Upon choosing the iOS download, the users are redirected to the legitimate project’s page on the Apple App Store, while the Android button starts the download of the rogue APK file.

The APK borrows the open-source code of the RedAlert app, which was modified to include the attackers’ malicious code.

“The malicious RedAlert version imitates the legitimate rocket alert application but simultaneously collects sensitive user data. Additional permissions requested by the malicious app include access to contacts, call logs, SMS, account information, as well as an overview of all installed apps.” reads the advisory published by Cloudflare.

RedAlert spyware

Once the app has collected user data, the malware uploads it to an HTTP server at a hardcoded IP address.

The malicious app supports anti-analysis capabilities, including anti-debugging, anti-emulation, and anti-test operations.

The website hosting the rogue RedAlert app was offline at the time of this publishing.

For users who have installed RedAlert on their devices, they can determine whether they have been compromised by checking for extraneous permissions, such as:

  • Call Logs
  • Contacts
  • Phone
  • SMS

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)