Acronis TRU uncovered a targeted smishing campaign delivering a trojanized Red Alert Android app to Israeli users via SMS impersonating Home Front Command, preserving legitimate alert functionality while running hidden spyware. The implant uses certificate spoofing, runtime hooks, layered obfuscation and a C2 at hxxps://api[.]ra-backup[.]com/analytics/submit[.]php to harvest SMS, contacts, location, device accounts and installed apps for continuous exfiltration. #RedAlert #AridViper
Keypoints
- Smishing campaign impersonated Home Front Command (Oref Alert) using spoofed SMS sender IDs and bit.ly links to distribute a trojanized Red Alert APK.
- The malicious APK (RedAlert.apk, package com.red.alertx, SHA256 83651b0…b72) retains full alert functionality by loading the legitimate app from an embedded asset while running spyware in the background.
- Attackers implemented certificate spoofing via an IPackageManager dynamic proxy and spoofed installer source to bypass Android signing and make the app appear Play Store–installed.
- The malware monitors permission grants and immediately harvests sensitive data (SMS, contacts, location, device accounts) and enumerates installed applications for profiling.
- Collected data is staged locally and continuously exfiltrated to a hardcoded C2 at api.ra-backup[.]com/analytics/submit.php; the domain was registered through Namecheap in mid-2025.
- Evidence suggests possible linkage to Arid Viper (APT-C-23) based on targeting, tooling and operational patterns; mitigations include blocking C2 domains, auditing devices, and reinstalling only from Google Play.
MITRE Techniques
- [T1660 ] Phishing – Smishing via spoofed Home Front Command SMS with shortened bit.ly link to trojanized APK (‘Smishing via spoofed Home Front Command SMS with bit.ly link to trojanized APK.’)
- [T1658 ] Exploitation for Client Execution – Victim sideloads trojanized RedAlert.apk from SMS lure (‘Victim sideloads trojanized RedAlert.apk from SMS lure.’)
- [T1624.001 ] Event Triggered Execution: Broadcast Receivers – Malware uses RECEIVE_BOOT_COMPLETED to relaunch after device reboot (‘RECEIVE_BOOT_COMPLETED relaunches malware after reboot.’)
- [T1406.002 ] Obfuscated Files or Information: Software Packing – Loader extracts legitimate app from assets (umgdn) and executes it as a cover (‘Loader extracts legitimate app from assets (umgdn) and runs it as cover.’)
- [T1406 ] Obfuscated Files or Information – Strings are Base64-encoded and encrypted with a 32-byte XOR key; class/method names randomized to resist analysis (‘Base64 + 32-byte XOR key encryption on strings; randomized class/method names.’)
- [T1632.001 ] Subvert Trust Controls: Code Signing Policy Modification – Dynamic proxy hooks IPackageManager and forges signature and installer to spoof Play Store origin (‘Dynamic proxy hooks IPackageManager to forge app signature and spoof Play Store origin.’)
- [T1630.001 ] Indicator Removal on Device: Uninstall Malicious Application – Malware overwrites mAppDir/sourceDir/publicSourceDir to redirect execution to the legitimate app and hinder removal (‘Overwrites mAppDir/sourceDir/publicSourceDir to redirect execution to legitimate app.’)
- [T1417 ] Input Capture – SYSTEM_ALERT_WINDOW overlay permission enables overlay-based credential phishing and potential input capture (‘SYSTEM_ALERT_WINDOW enables overlay-based credential phishing.’)
- [T1418 ] Software Discovery – Enumerates installed applications via PackageManager and exfiltrates app list in batches (‘Enumerates installed apps via PackageManager; exfils in batches of 200.’)
- [T1426 ] System Information Discovery – Uses reflection to invoke AccountManager methods and harvest device accounts (‘Reflection-based AccountManager invocation to harvest device accounts.’)
- [T1636.004 ] Protected User Data: SMS Messages – Queries Telephony.Sms.CONTENT_URI on permission grant to dump the SMS database (‘Queries Telephony.Sms.CONTENT_URI on permission grant to dump full SMS database.’)
- [T1636.003 ] Protected User Data: Contact List – Harvests contacts, phone numbers and emails via CommonDataKinds content providers (‘Harvests contacts, phone numbers, and emails via CommonDataKinds providers.’)
- [T1636.001 ] Protected User Data: Calendar Entries / Accounts – Uses GET_ACCOUNTS to enumerate linked device accounts and related data (‘GET_ACCOUNTS permission used to enumerate linked device accounts.’)
- [T1430 ] Location Tracking – Retrieves GPS location and applies geofenced conditional execution based on proximity calculation (‘GPS tracking with geofenced conditional execution via proximity calculation.’)
- [T1437.001 ] Application Layer Protocol: Web Protocols – C2 communication over HTTPS to api.ra-backup[.]com/analytics/submit.php (‘C2 at hxxps://api[.]ra-backup[.]com/analytics/submit[.]php.’)
- [T1646 ] Exfiltration Over C2 Channel – Continuous exfiltration of SMS, contacts, location, accounts and app list to the remote C2 server (‘Continuous exfiltration of SMS, contacts, location, accounts, and app list to C2.’)
Indicators of Compromise
- [Hash ] trojanized APK SHA256 – 83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72
- [Package name ] malicious Android package – com.red.alertx (dropper/spying package)
- [Domains/C2 ] command-and-control infrastructure and registration – ra-backup[.]com, api[.]ra-backup[.]com
- [C2 URL ] exfiltration endpoint – hxxps://api[.]ra-backup[.]com/analytics/submit[.]php
- [File name / asset ] app and embedded payload files – RedAlert.apk (dropper), umgdn (embedded legitimate app asset extracted to /data/user/0/com.red.alertx/files/)
- [Delivery vector ] shortened links in SMS – bit.ly shortened links used in smishing messages to deliver the APK