New Delhi, March 3 (AHN) AI-driven cybersecurity firm CloudSEK has uncovered a malicious SMS spoofing campaign distributing a trojanised version of Israel’s official “Red Alert” emergency mobile application, exploiting public panic amid the ongoing Israel-Iran conflict.

According to the company, threat actors are spreading a fake Android app through targeted SMS phishing (smishing) messages that prompt users to sideload an APK file posing as an urgent wartime update.

The malicious app impersonates the official alert platform of Israel’s Home Front Command and mirrors its interface while embedding spyware capabilities.

Unlike the legitimate app available on the Google Play Store, the trojanised version requests high-risk permissions, including access to SMS, contacts and precise location data, CloudSEK said.

Once installed, the malware can intercept entire SMS inboxes, harvest contact lists and continuously track GPS coordinates.

CloudSEK also noted that the malware uses advanced evasion techniques, including signature spoofing to mimic the original app’s 2014 signing certificate and installer spoofing to appear as if it were downloaded from the Play Store.

The application dynamically loads hidden payloads and executes a multi-stage infection chain to bypass standard security checks.

During runtime analysis, researchers observed that the malware initiates background threads to monitor permission approvals.

Data collected from infected devices is staged locally and exfiltrated via HTTP POST requests to attacker-controlled infrastructure, including the domain api.ra-backup[.]com.

The campaign leverages cloud-hosted infrastructure, with IP addresses linked to AWS and Cloudflare services, making backend attribution more difficult.

CloudSEK warned that the spyware poses both digital and physical security risks. The firm noted that real-time location tracking during active air raids could expose civilian movement patterns, while SMS interception may allow attackers to bypass two-factor authentication and target high-value individuals.

The company advised users to avoid installing applications from unknown sources and to download emergency apps only from official app stores. For suspected infections, it recommended immediate device isolation and a full factory reset to prevent further data compromise.