A new mobile espionage campaign, dubbed RedAlert, exploits civilian fears amid the Israel-Iran conflict by trojanising Israel’s official Red Alert rocket warning app and distributing it via SMS phishing, first identified on 3 March 2026. The campaign bypasses the Google Play Store, inviting victims to sideload a fake update that mimics the legitimate app from the Israel Defence Forces Home Front Command, according to CloudSEK.
The fraudulent variant not only delivers real rocket alerts but also runs a surveillance payload in the background, aggressively requesting high‑risk permissions such as access to SMS messages, contacts and precise GPS location data. It uses anti‑detection techniques, spoofing the original 2014 signing certificate and manipulating installation data to appear as though downloaded from the Play Store, while a three‑stage infection chain activates spyware and C2 communications.
Exfiltrated data, including SMS inboxes, contacts and real‑time location, is staged locally and then sent to attacker‑controlled servers via HTTP POST, with outbound traffic observed to services hosted on AWS and proxied through Cloudflare, according to researchers. The operation poses strategic and physical security risks, and security teams urge device isolation, revocation of admin privileges, factory resets where needed, and blocking of known malicious domains through mobile device management policies.