Israeli Android users are at risk due to a deceptive version of the ‘RedAlert – Rocket Alerts’ app. While the application seems to provide the promised alerts, it silently runs spyware operations.

‘RedAlert – Rocket Alerts’ is a renowned open-source application, used predominantly by Israeli citizens to get notifications of potential rocket threats aimed at the nation. The application enjoys widespread use, evidenced by its over a million downloads from the Google Play Store.

Recently, with increasing rocket activities in South Israel, the demand for the app surged. People were anxious to get prompt alerts about possible threats in their vicinity.

Cloudflare’s investigations reveal that unidentified hackers, with uncertain motives, are exploiting this heightened interest in the app. They are disseminating a fraudulent version that covertly plants spyware on devices.

The malevolent version is available on the website “redalerts[.]me,” set up on October 12, 2023. The website offers two download options for the app, catering to both iOS and Android users.

For iOS users, the download link redirects them to the genuine project’s page on the Apple App Store. However, Android users are presented with a direct APK file download for installation.

Spyware Details

When users download the APK, it operates with the original RedAlert app’s code. As such, it embodies all standard features and, on the surface, seems like an authentic rocket alert tool.

Yet, Cloudflare’s analysis indicates that the app demands added permissions from its users. It seeks access to the user’s contacts, text messages, list of installed apps, call history, phone’s IMEI, affiliated email and application accounts, among others.

Once activated, the app silently runs a background service. This service misuses the granted permissions, gathering data and encrypting it using AES in CBC mode before sending it to a fixed IP address.

Additionally, this app is built with layers of protection against debugging, emulation, and testing. These safety measures deter research attempts and obstruct code-reviewing procedures.

Protective Measures for RedAlert Users

As of the current update, the dubious website is inaccessible. However, given the hackers’ persistence, they might resurface under a new domain after their activities have been unveiled.

A straightforward method to differentiate between the genuine and the tampered versions is to inspect the permissions the app seeks during installation or accesses if already present on a device.

To verify this, users can long-press the app icon, opt for ‘App info,’ and then choose ‘Permissions.’

Moreover, there have been instances where the genuine RedAlert app was compromised. Miscreants took advantage of API vulnerabilities to distribute false alerts to users.

To reduce the chances of falling victim to these schemes, users are advised to always keep their app updated, ensuring they have the most recent security patches.