The RedAlert campaign distributes a trojanized version of the official Israeli Home Front Command “Red Alert” app via targeted SMS phishing, tricking users into sideloading a malicious APK that mirrors the legitimate UI while embedding a multi-stage spyware payload. The malware spoofs signing certificates and installer metadata, requests high-risk permissions to harvest SMS, contacts, and GPS, and exfiltrates data to attacker-controlled infrastructure; immediate quarantine, network blocking, and factory resets are recommended. #RedAlert #HomeFrontCommand
Keypoints
- Threat actors use smishing links to distribute a trojanized RedAlert.apk that bypasses the Google Play Store and persuades users to sideload the app.
- The malware hooks Android’s Package Manager to spoof the 2014 signing certificate and return “com.android.vending” as the installer, evading integrity and tamper checks.
- Infection is multi-stage: Stage 1 cloaks and extracts an asset named “umgdn”, Stage 2 dynamically loads that payload as a DEX, and Stage 3 executes the core DebugProbesKt.dex spyware.
- The trojan replicates the official app’s GUI while coercing users into granting high-risk permissions (SMS, Contacts, Location) and immediately activates modules as permissions are granted.
- Harvested data (SMS inbox, contacts, precise GPS) is staged locally and rapidly exfiltrated via HTTP POST to https://api.ra-backup[.]com/analytics/submit.php to attacker C2 infrastructure.
- Operators leverage Cloudflare and AWS infrastructure (e.g., 104.21.x.x, 172.67.x.x, 44.x.x.x) to proxy and shield backend servers, complicating attribution and takedown efforts.
- Recommended mitigations include device quarantine and factory reset, revoking admin rights, perimeter blocking of identified domains/IPs, strict MDM policies to forbid sideloading, and user awareness about smishing lures.
MITRE Techniques
- [T1204.002 ] Spearphishing Link – Delivery via targeted SMS phishing (smishing) that convinces users to sideload the malicious APK (‘distributing a trojanized version of the official Home Front Command application through targeted SMS phishing (smishing).’)
- [T1036 ] Masquerading – The app mirrors the official Red Alert GUI and presents itself as the legitimate Home Front Command application to avoid user suspicion (‘perfectly mirrors the graphical user interface (GUI) of the official Israeli Home Front Command Red Alert application.’)
- [T1553.002 ] Subvert Trust Controls: Code Signing – Spoofs the app’s signing certificate and returns a hardcoded signature to bypass signature verification (‘returns a hardcoded signature … instead of the real one. This is used to bypass signature verification checks’)
- [T1105 ] Ingress Tool Transfer – Stages and loads additional payloads from embedded assets (umgdn → DEX → DebugProbesKt.dex) to shift execution away from statically scannable components (‘It looks for an asset named umgdn…treating this raw asset as a Dalvik Executable (DEX)’)
- [T1027 ] Obfuscated Files or Information – Core payload and classes are heavily obfuscated to hinder static analysis and reverse engineering (‘The core payload, heavily obfuscated within the class…’)
- [T1056 ] Input Capture – Intercepts and harvests SMS inbox contents and contact lists by requesting and abusing SMS/Contacts permissions (‘intercept complete SMS inboxes, harvest contact books’)
- [T1005 ] Data from Local System – Collects sensitive local data including SMS, contacts, and precise GPS coordinates before staging for exfiltration (‘staging the collected intelligence (including the SMS inbox, complete contact lists, and real-time GPS coordinates) into categorized local files’)
- [T1071.001 ] Application Layer Protocol: Web Protocols – Exfiltrates staged data via HTTP POST to a C2 endpoint (api.ra-backup[.]com/analytics/submit.php) (‘via HTTP POST requests to https://api[.]ra-backup[.]com/analytics/submit.php’)
- [T1041 ] Exfiltration Over C2 Channel – Persistent uploader thread loops to rapidly transmit harvested data to attacker-controlled C2 infrastructure (‘a dedicated uploader thread loops, establishing rapid outbound connections to transmit the payload’)
Indicators of Compromise
- [File Name ] Malicious and embedded files – RedAlert.apk, umgdn (embedded asset)
- [File Hash ] Static analysis hashes for the malicious APK – MD5: 9c6c67344fecd8ff8dbbee877aad7efc, SHA256: 83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72
- [Domain / URL ] C2 and download URLs – api.ra-backup[.]com/analytics/submit[.]php, https[:]//www[.]shirideitch[.]com/wp-content/uploads/2022/06/RedAlert[.]apk (also observed: multiple bit[.]ly shorteners)
- [IP Address ] Infrastructure and proxying endpoints – 216.45.58.148 (api.ra-backup.com), 44.208.242.141 (api.pushy.me) and 4 other associated IPs observed during execution)
- [Package Name ] Malicious Android package identifier – com.red.alertx
- [Certificate ] Signing certificate details used for spoofing – X.509 certificate Subject: C=IL, Issuer: C=IL, Valid From: July 12, 2014; Valid To: June 18, 2114 (decoded from embedded Base64 signature payload)