Red Alert App Trojan Targets Israeli Users, Steals Sensitive Data Through SMS

A recent targeted cyberattack is using the trusted Red Alert rocket warning app to spread spyware to Israeli users. On March 1, 2026, the Acronis Threat Research Unit (TRU) found the bad campaign when Israeli citizens started posting on social media about getting SMS messages from fake official sources. The messages had links to a trojanized version of the Red Alert app, which is very popular in Israel for getting real-time alerts about missiles and rockets.

The attack shows how threat actors are changing their methods and using geopolitical events to go after people with valuable data. The Technical Analysis and Infection Chain The malware first collects a range of sensitive information, including SMS messages, contact lists, GPS location, and accounts stored on the device.

The malware collects information that is important for identity theft and more spying by getting permissions like READ_SMS, ACCESS_FINE_LOCATION, and READ_CONTACTS. The spyware can even steal one-time passwords (OTPs) and banking messages, which makes it a powerful tool for stealing credentials. Infection chain of the campaign (Source: acronis) This attack uses a dual-stage architecture, which is a big part of it.

The trojanized app acts as both a dropper and a loader. The malware loads the real Red Alert app from the device's files, making it look like it works normally while secretly running the spyware in the background. This keeps the malware from being found because the user still gets alerts from the real app.

One of the most important ways that the malware gets around is by using a fake app signature. The malware gets around basic Android security checks by changing the app's signature on the fly and pretending to be Google Play. A report from an Israeli citizen says they got an SMS from Oref Alert (Source: acronis) Using an encrypted Command-and-Control (C2) infrastructure makes it even harder for security systems to keep track of what the malware is doing.

Strategic Consequences and Final Thoughts According to Acronis research, this campaign highlights the dangers of relying on trusted applications during periods of high tension, such as regional conflicts. By embedding spyware within a trusted alert system, the attackers could effectively bypass security measures and gain access to sensitive data without raising suspicion.

Static analysis of the APK file (Source: Acronis) The use of social engineering, obfuscation, and advanced evasion techniques shows how cyberattacks on civilians are getting more and more advanced. Organizations need to go beyond traditional security measures and be extra careful about the security of important apps that the public uses. HR, government, and financial institutions should especially strengthen their mobile device management (MDM) policies and make sure that employees and citizens know about the dangers that bad apps can pose.

Organizations can better protect themselves from these advanced, multi-layered attacks by using both behavioral detection and threat intelligence.