While the identity of the culprits behind this spyware campaign remains uncertain, their tactics closely resemble those used by pro-Palestinian hackers, such as AnonGhost.
On October 9th, 2023, Hackread.com reported on the infiltration by pro-Palestinian hackers associated with AnonGhost into the Red Alert app, an Israeli application designed by Kobi Snir exclusively for delivering missile and rocket alerts to the Israeli population. Seizing this opportunity, AnonGhost maliciously disseminated fabricated rocket, missile, and even nuclear bomb alerts to Israelis.
Now, Cloudflare’s Cloudforce One Threat Operations Team has uncovered a similar incident, this time targeting a different rocket alert app. The researchers identified a malicious website (redalertsme) hosting a Google Android Application (APK) impersonating the legitimate RedAlert – Rocket Alerts application originally created by Elad Nava. The motive behind this malicious website was to infect unsuspecting Israeli app users with spyware.
Rocket alert apps have gained immense popularity in Israel, providing crucial alerts to citizens about incoming air strikes, which have sadly become an all too common occurrence. The misuse of these applications, as witnessed in the recent hack, has the potential to create widespread panic and further escalate an already tense situation.
According to a blog post by Cloudflare, the malicious domain in question offered both iOS and Android versions of the mobile application. However, while the link for the iOS version directed users to the legitimate App Store page, the Android version was a manipulated variant.
The malicious application, while retaining elements of the original code, had been equipped with the capability to collect sensitive user data. This included access to contacts, call logs, text messages, account information, SIM card details, and a list of installed applications on the victim’s device.
To make matters worse, the malicious app operated stealthily in the background, continuously harvesting data from the compromised device. The stolen information was then sent to a remote server.
Although the data was encrypted, the use of RSA encryption with a bundled public key within the app made it theoretically possible for anyone intercepting the data packets to decrypt the information.
The website hosting the spyware-infested version of RedAlert has since been taken down. However, users who may have unwittingly installed this malicious application remain at risk. They are advised to take immediate action to cleanse their devices of the spyware.
To determine whether their devices have been compromised, users are urged to check the permissions that the app has requested. Suspicious permissions include access to call logs, contacts, phone features, and SMS capabilities. These indicators should be taken seriously to ensure the security of their devices and personal information.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented on the issue and warned users that they must download apps from official stores to avoid unexpected security threats.
“This is another example of why all phone apps should only be downloaded from the official app stores. Just too many trojan apps taking excessive permissions to trust any app downloaded from anywhere,” Grimes said.
Grimes acknowledged that although sometimes official Play Stores can distribute viruses, tech giants mitigate such threats quite quickly. “Trojan apps are found in the official Play Stores, but they are less likely and will be removed as soon as someone reports them. There is just too much risk in downloading apps outside the official app stores,” Grimes added.
While malicious AI chatbots like WormGPT and FraudGPT assist malicious actors in generating novel ideas with user-friendly technology, traditional cyber warfare tactics, such as hackvisits, persist. Presently, both pro-Palestinian and Israeli hackvisits are focusing on each other’s critical ICS products.
As hackers continuously innovate, it is crucial for users to remain vigilant and informed about protecting themselves from the ever-evolving cybersecurity threats.
- Israel’s Channel 10 TV Station Hacked by Hamas
- Hamas hacked the smartphones of over 100 IDF soldiers
- Hamas posed as women to con IDF into downloading malware
- Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
- Hamas hacked phones of IDF soldiers with seductive phones of women