Threat researchers uncovered a fake Android APK masquerading as the RedAlert – Rocket Alerts app, hosted on a deceptive site and designed to harvest extensive device data. The malware collects sensitive information and sends it to the attacker’s server, using domain impersonation and anti-analysis tricks to evade detection.
Keypoints
- The malicious RedAlert variant impersonates the legitimate RedAlert – Rocket Alerts Android app.
- Domain impersonation is used via redalerts[.]me (and redalert[.]me) to mislead users into downloading the malicious APK.
- The app requests dangerous permissions (e.g., GET_ACCOUNTS, READ_CONTACTS, READ_SMS, READ_CALL_LOG) and runs a background malicious service.
- Collected data includes SIM info, contacts, SMS, accounts, calls, emails, and installed apps, which is uploaded to a hardcoded HTTP server.
- Stolen data is encrypted with AES (CBC, PKCS5) and RSA (public key bundled in the app) before exfiltration.
- Anti-analysis capabilities (anti-debugging, anti-emulation, anti-monkey) are included to hinder runtime analysis.
MITRE Techniques
- [T1036] Masquerading – The malicious RedAlert version imitates the legitimate rocket alert application. “The malicious RedAlert version imitates the legitimate rocket alert application.”
- [T1518] Software Discovery – The malware collects a List of installed applications. “List of installed applications”
- [T1027] Obfuscated/Encrypted Files and Information – Data is encrypted before exfiltration: “encrypted with AES in CBC mode with PKCS5 Padding. The keys are randomly generated and appended to the packaged data, however the keys are encrypted with RSA using a public key bundled in the malicious app.”
- [T1071] Web Protocols – The Connector uploads data to an HTTP server, indicating command and control over web protocols: “The Connector is responsible for encrypting the stolen data and uploading it to the HTTP server.”
- [T1041] Exfiltration Over Unencrypted/Encrypted Channel – Data is uploaded to an HTTP server with a hardcoded IP address: “Stolen data is uploaded to an HTTP server at a hardcoded IP address.”
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis capabilities (anti-debugging, anti-emulation, anti-test) to avoid runtime analysis: “anti-debugging, anti-emulation, and anti-test operations”
Indicators of Compromise
- [URL] Malicious download and C2 endpoints – hxxp://redalerts[.]me/app.apk, hxxp://23.254.228[.]135:80/file.php
- [Hash] Malicious RedAlert APK – 5087a896360f5d99fbf4eb859c824d19eb6fa358387bf6c2c5e836f7927921c5
- [Domain] Impersonated domains – redalerts.me, redalert.me
- [IP] C2 address – 23.254.228.135
- [File name] Encrypted data artifacts – _.enc, _.param, _.eparam
- [Public key] RSA public key embedded in app – (RSA/ECB/PKCS1Padding key shown in article)