A fake RedAlert app that has surfaced in the Middle East targets Android users in Israel. Based on reports, the app operates as spyware in the background while still appearing to function as a legitimate app.
The legitimate RedAlert app is an open-source platform Israeli citizens use to receive rocket attack notifications. Its relevance to the current conflict in the region has allowed it to gain over a million downloads on Google Play. Hence, with the increased rocket attacks by Hamas in South Israel, the interest in the app has grown, making it a target for hackers.
Hackers have exploited panicking users to deploy their fake RedAlert app.
Hackers, whose motivations and origins could relate to the current conflict in the region, are taking advantage of this heightened interest and the fear of attacks to distribute a fake RedAlert app version.
These hackers disseminate malicious versions of the apps through the website “redalerts[.]me,” created on October 12, 2023. The site provides two download buttons, one for iOS and another for Android. While the iOS download redirects users to the legitimate Apple App Store page, the Android button directly downloads an APK file for installation on Android devices.
The downloaded APK contains the legitimate code of the real RedAlert app, making it appear as an authentic rocket alert tool. However, it requests additional permissions, including access to contacts, phone numbers, SMS content, the list of installed apps, call logs, phone IMEI, logged-in email and app accounts, and more.
In addition, the app starts a background service that uses these permissions to collect data, encrypt it, and upload it to a hardcoded IP address upon successful installation. The fake app also includes mechanisms that bypass debugging, emulation, and testing tools used by security researchers.
As of now, the fake site is offline, but the threat actors could create a new domain soon. Furthermore, users should know how to differentiate between genuine and counterfeit versions to avoid compromise.
Israelis should review the permissions the app requests during installation or have access to if it is already on your device. By long pressing the app’s icon, users can select ‘App info’ and tap ‘Permissions’ to know the accessibility that the app acquired during installation.
In a related incident, there have been hijacks on the legitimate RedAlert app, where hacktivists exploit API vulnerabilities to send fake notifications. Users should ensure that they use the latest version of the apps with security updates to mitigate or prevent these potential risks.
