Full Report
Wired has the story: Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded more than 5 million times from the Google Play Store. The messages arrived in quick succession over a period of 30 minutes, starting with the phrase ‘Help has arrived’ at 9:52 am Tehran time, shortly after the first set of explosions. No party has claimed responsibility for the hacks...
Analysis Summary
# Incident Report: Compromise of BadeSaba Calendar App for Psychological Operations
## Executive Summary
In early 2026, the BadeSaba Calendar prayer-timing app, which has over 5 million downloads, was compromised to facilitate a large-scale psychological operation (PsyOp) against Iranian citizens. Attackers leveraged pre-established access to push unauthorized notifications—starting with the phrase "Help has arrived"—to mobile devices immediately following military kinetic strikes. The incident is characterized by its high coordination with real-world events and its reach into the civilian population.
## Incident Details
- **Discovery Date:** March 5, 2026 (Publicly reported)
- **Incident Date:** Circa early 2026 (Concurrent with kinetic strikes)
- **Affected Organization:** BadeSaba Calendar (App Developers/Users)
- **Sector:** Technology / Religious Services / Mobile Applications
- **Geography:** Iran
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-dating the kinetic strikes (unspecified)
- **Vector:** Likely supply chain compromise or exploit of the app's push notification server infrastructure.
- **Details:** Attackers likely gained "quiet" access prior to the strikes to ensure delivery during the kinetic operation.
### Lateral Movement
- **Details:** Unauthorized access from the application's backend or content delivery network (CDN) to the push notification services that communicate with over 5,000,000 end-user devices.
### Data Exfiltration/Impact
- **Details:** No data exfiltration was reported; the impact was focused on the injection of psychological propaganda and disruption of public calm during an emergency.
### Detection & Response
- **How it was discovered:** Citizens noticed anomalies when receiving notifications that contradicted government instructions or status.
- **Response actions taken:** Not explicitly detailed in the report, though users likely began uninstalling the app or disabling notifications upon discovery of the hack.
## Attack Methodology
- **Initial Access:** Likely through compromised developer credentials or vulnerability in the app's notification API.
- **Persistence:** Maintaining access to the app's backend servers or infrastructure.
- **Defense Evasion:** Choosing a widely trusted religious app allowed the messages to bypass traditional media censorship.
- **Impact:** Use of the push notification system to broadcast psychological messaging ("Help has arrived") to induce confusion or lower morale during explosions.
## Impact Assessment
- **Financial:** Potential loss of revenue for the app developer due to mass uninstalls.
- **Data Breach:** Compromise of the integrity of the notification delivery system.
- **Operational:** Disruption of a critical information channel (prayer timings) and emergency communication.
- **Reputational:** Massive loss of trust in a staple Iranian mobile application.
## Indicators of Compromise
- **Behavioral indicators:**
- Unauthorized push notifications starting at 09:52 AM Tehran time.
- Bursts of messages delivered over a 30-minute window.
- Messages containing "Help has arrived" or similar surrender/propaganda narratives.
## Response Actions
- **Containment measures:** Users advised to monitor/disable notifications from third-party apps during kinetic events.
- **Recovery actions:** Potential server-side resets by the BadeSaba developers (assumed).
## Lessons Learned
- **Key takeaways:** High-utility apps (clocks, calendars, prayer apps) are high-value targets for psychological warfare due to their "trusted" status and deep integration into users' daily lives.
- **What could have been done better:** Better securing of API keys and push notification certificates; implementing multi-factor authentication (MFA) for administrative access to notification broad-casting systems.
## Recommendations
- **App Developers:** Implement rigorous code signing, secure CI/CD pipelines, and multi-signature authorization for "broadcast-to-all" notification features.
- **End Users:** Use official government channels for emergency alerts and remain skeptical of unexpected political messaging from non-news applications during times of crisis.
- **Infrastructure:** Segregate notification delivery systems from other app backend functions to limit the blast radius of a credential compromise.