As cyber threats continue to mount amidst the Israel-Gaza conflict, threat actors have been observed using a malicious version of the ‘RedAlert – Rocket Alerts’ app to spread spyware.
The app is popularly used by Israelis and, with the latest Hamas terrorist attacks in South Israel, the number of users for the app has exploded as more and more people are seeking timely warnings about airstrikes in their area.
Understanding the fake app campaign
- This development comes two days after a threat actor group named AnonGhost exploited a security issue in the ‘Red Alert: Israel’ app to intercept requests, expose servers and APIs, and send fake alerts to users, including nuclear bomb messages.
- The website provides the option to download the app for the iOS and Android platforms.
- While the iOS download redirects a user to the legitimate project’s page on the Apple App Store, clicking on the Android button directly downloads an APK file to be installed on the victim’s device.
- Although the APK is built on the legitimate Rocket Alert app code, researchers highlight that it requests additional permissions from the victims. These include access to the user’s contacts, numbers, SMS content, list of installed software, call logs, phone IMEI, and logged-in email and app accounts, among others.
- Upon execution, the malicious app initiates a background service that abuses these permissions and harvests sensitive data from Android phones to be sent to a C2 server.
Other threats in the spotlight
- Besides these, several threat actors have emerged to target organizations and infrastructure in Israel and Gaza with DDoS attacks. The latest attacks are aimed at SCADA and ICS systems.
- Moreover, an Israel-backed hacking group named Predatory Sparrow has re-emerged after a long hiatus to launch attacks.
To tackle the current threat, Android users are advised to avoid using internet URLs or third-party app stores to download the app. Furthermore, they must verify the legitimacy of the app by checking users’ reviews. Additionally, organizations can leverage the IoCs associated with the incident to block malicious domains on networks.