Full Report
Steals SMS messages, location data, contacts … and delivers it to Hamas-linked crew Hamas-linked attackers are dropping spyware disguised as an emergency-alert app on Israelis' smartphones via SMS messages, according to security researchers.…
Analysis Summary
# Incident Report: Hamas-Linked Spyware Campaign Exploiting Red Alert App
## Executive Summary
A surveillance campaign attributed to Arid Viper (APT-C-23) targeted Israeli citizens by distributing a trojanized version of the "Red Alert" emergency-warning app via SMS phishing. The malware, disguised as a critical security update, exfiltrates sensitive personal data including location, SMS messages, and contacts to a remote C2 server. While the exact scope of infection is unknown, the campaign is described as broadly indiscriminate, leveraging regional geopolitical tensions to maximize social engineering success.
## Incident Details
- **Discovery Date:** March 1, 2026
- **Incident Date:** Ongoing (observed late February to early March 2026)
- **Affected Organization:** Indiscriminate targeting of Israeli citizens
- **Sector:** Public / Consumer Mobile
- **Geography:** Israel
## Timeline of Events
### Initial Access
- **Date/Time:** Circa late February 2026
- **Vector:** SMS Phishing (SMiShing)
- **Details:** Attackers sent spoofed SMS messages impersonating "Oref Alert" (the official rocket warning service). The messages urged users to download an "updated" version of the app via a bit.ly shortened link.
### Lateral Movement
- **N/A:** The attack focuses on endpoint compromise and data exfiltration from mobile devices rather than lateral movement within a corporate network.
### Data Exfiltration/Impact
- **Details:** Once installed, the spyware requests 20 permissions to harvest GPS coordinates, SMS logs, contact lists, and system account details. It utilizes phishing overlays to capture credentials and one-time passwords (OTPs) from other applications. Data is staged locally and continuously transmitted to a remote C2 server.
### Detection & Response
- **Discovery:** Acronis Threat Research Unit (TRU) detected the app on March 1, 2026, following citizen reports on social media.
- **Response:** The Israeli National Cyber Directorate and major news outlets issued public warnings to alert citizens and mitigate further infections.
## Attack Methodology
- **Initial Access:** Social engineering via SMS; spoofed Sender IDs and bit.ly URL redirection.
- **Persistence:** Configured to automatically launch upon device reboot.
- **Privilege Escalation:** Requests high-level Android permissions (Location, SMS, Contacts) during installation.
- **Defense Evasion:** Use of spoofed certificates and a spoofed installer source to make the app appear as if it originated from the Google Play Store.
- **Credential Access:** Implementation of phishing overlays to intercept credentials and OTPs from legitimate apps.
- **Discovery:** Not applicable in a traditional network sense; the malware performs local reconnaissance of the device's accounts and contacts.
- **Lateral Movement:** Not observed.
- **Collection:** Continuous harvesting of SMS, location data, and contact lists.
- **Exfiltration:** Scheduled transmission of staged data to a remote Command and Control (C2) server.
- **Impact:** Privacy breach and surveillance; potential for account takeover through credential theft.
## Impact Assessment
- **Financial:** Unknown; potential for theft through intercepted banking credentials via overlays.
- **Data Breach:** High-volume theft of PII, location history, and private communications.
- **Operational:** Disruption of trust in critical emergency notification infrastructure.
- **Reputational:** Exploitation of legitimate emergency services (Red Alert/Oref Alert).
## Indicators of Compromise
- **Network Indicators:**
- `bit[.]ly/` (Specific shortened links)
- [Redacted C2 IP/Domain - referenced as attackers' remote server]
- **File Indicators:**
- Trojanized APK: "Oref Alert" / "Red Alert" (Malicious clone)
- **Behavioral Indicators:**
- App requesting excessive permissions (SMS, GPS, Accounts).
- App appearing to install from "Google Play" despite being downloaded via a browser link.
- Presence of phishing overlays on financial or communication apps.
## Response Actions
- **Containment:** Public awareness campaigns and official advisories from the National Cyber Directorate.
- **Eradication:** Identification of the malicious domains and shortened links for blacklisting.
- **Recovery:** Advising citizens to uninstall suspicious apps and monitor accounts for unauthorized access.
## Lessons Learned
- **High Success of Crisis-Themed Lures:** Attackers successfully exploit fear and urgency associated with kinetic conflicts.
- **App Signing Limitations:** Spoofed certificates can still deceive users despite modern mobile OS security features.
- **Reliance on Third-Party Links:** Users remain susceptible to shortened URLs delivered via SMS for "critical" updates.
## Recommendations
- **Application Sourcing:** Only install emergency applications directly from official stores (Google Play/Apple App Store) and never via SMS links.
- **Permission Review:** Users should audit app permissions and deny "SMS" or "Location" access to apps that do not clearly require them.
- **MFA Hardening:** Transition from SMS-based OTPs to app-based authenticators (TOTP) to mitigate the risk of SMS interception via spyware.
- **Threat Intelligence:** Organizations should monitor for spoofed versions of their official applications in the wild.