The Acronis Threat Research Unit (TRU) has uncovered a sophisticated mobile spyware campaign targeting Israeli citizens by distributing a trojanized version of Israel’s Red Alert rocket warning Android app. The malicious version of the app, delivered through a targeted smishing operation, impersonates official Home Front Command alerts to lure users into downloading a compromised APK.
According to TRU researchers, reports first surfaced on March 1, 2026, when Israeli users began receiving spoofed “Oref Alert” SMS messages containing shortened bit.ly links claiming that the official Red Alert app was malfunctioning. Once installed, the trojanized application functions exactly like the legitimate rocket warning app maintaining all real alert capabilities to avoid triggering user suspicion while secretly harvesting extensive personal data in the background.
Investigators found that the malware employs a dual‑stage loader, advanced code obfuscation, and signature spoofing techniques to pose as a trusted app. Upon receiving key permissions, the spyware extracts SMS messages, contacts, email addresses, GPS location, device-linked accounts, and a list of installed applications. The malware also features geofencing logic, conditional behaviors based on user location, and dynamic invocation methods to evade detection. Stolen data is exfiltrated in structured batches to remote command‑and‑control servers using randomized naming schemes and anti-analysis tricks.
TRU warns that the spyware’s capabilities could allow attackers to intercept one-time passwords, credentials, user profiles, and sensitive communication posing significant privacy and security risks during a period of heightened regional tension.
Acronis advises users to download apps only from Google Play, avoid clicking on urgent or suspicious SMS links, and review all app permission requests carefully. Users should scan their devices for the malicious package name com.red.alertx, enable Google Play Protect, and block suspicious domains such as ra-backup.com. Those who may have installed the fake app are urged to immediately rotate their passwords and notify CERT‑IL.
Organizations, meanwhile, are encouraged to strengthen mobile device management policies, filter network traffic, and implement mandatory cybersecurity awareness training to prevent similar attacks.