Ethical Hacking News
Israeli smartphones are under threat from a new wave of spyware disguised as emergency-alert apps via SMS messages. The malicious software has been linked to a Hamas-aligned cyberespionage group and is capable of stealing sensitive user data, including GPS locations and contact lists.
Security researchers discovered spyware disguised as an emergency-alert app sent to Israeli smartphones via SMS messages.The malicious app uses spoofed certificates and appears legitimate to gain access to users' personal data.The campaign is likely indiscriminate, with no way to know how many infections were successful, according to TRU senior security researcher Eliad Kimhy.The threat researchers believe the campaign may be linked to a Hamas-aligned cyberespionage group called Arid Viper.The malware requests 20 permissions, including access to GPS location, SMS messages, and accounts stored on the device. stolen data is staged locally and then continuously transmitted to attackers' remote command-and-control server.
In a shocking turn of events, security researchers have discovered that spyware disguised as an emergency-alert app has been sent to Israeli smartphones via SMS messages. The malicious app, which was discovered by the Acronis Threat Research Unit (TRU), uses spoofed certificates and appears to be legitimate in order to gain access to users' personal data.
According to TRU senior security researcher Eliad Kimhy, the campaign is likely indiscriminate, with no way to know for sure how many infections were successful. The Israeli National Cyber Directorate and all major Israeli news sites have since released a warning about the phishing attack, further supporting the theory that this is broadly indiscriminate.
The threat researchers believe that the campaign may be linked to a Hamas-aligned cyberespionage group called Arid Viper (aka APT-C-23, Desert Falcons, or Two-tailed Scorpion), which has been active since at least 2013. This crew typically targets Israelis using surveillance malware for Android, iOS, and Windows systems.
The new campaign used SMS messages impersonating the official "Oref Alert" rocket warning service, distributed from spoofed sender IDs, and urged recipients to install an updated version of the emergency-alert app. The messages included a bit.ly shortened link - but instead of taking users to a legitimate Red Alert update, it redirected them to download spyware that collects and steals their information.
The malware's developers used spoofed certificates and the app also spoofed the installer source, making the software appear to have been installed from Google Play. This allowed it to bypass Android security checks and appear to have been legitimately signed.
Analysis of the malware indicates that it requests 20 permissions. Of those, six are especially worrisome as they allow real-time access to a user's precise GPS location, their SMS messages, contact lists, and accounts stored on the device. It also allows the operator to create phishing overlays on top of other applications on the phone, thus enabling attackers to intercept one-time passwords, credentials, and account numbers. Plus, the spying app maintains persistence on victims' phones by automatically starting after device reboot.
All of this stolen data is staged locally and then continuously transmitted to the attackers' remote command-and-control (C2) server.
"S situations like these are increasingly becoming a layer that runs in parallel to kinetic conflict," said Santiago Pontiroli, TRU lead security researcher. "Attackers frequently leverage wartime themes such as emergency alerts, missile warnings, or security updates as social engineering lures to distribute surveillance malware and collect sensitive information."
Periods of military escalation in the region are consistently accompanied by a rise in cyber operations, and previous conflicts involving Israel have repeatedly triggered campaigns by hacktivist and espionage-focused actors seeking to exploit the situation.
This new campaign is just another example of how cyber operations increasingly serve as an intelligence-gathering layer that runs in parallel to kinetic conflict, enabling actors to monitor targets, map networks, and identify high-value individuals during periods of heightened geopolitical tension.
Related Information:
https://www.ethicalhackingnews.com/articles/Spyware-Disguised-as-Emergency-Alert-App-Sent-to-Israelis-via-SMS-Messages-Steals-Personal-Data-ehn.shtml
Published: Fri Mar 6 13:36:43 2026 by llama3.2 3B Q4_K_M
