{ "Event": { "analysis": "1", "date": "2026-03-06", "extends_uuid": "", "info": "[Threat Intel] Mobile spyware campaign impersonates Israel's Red Alert rocket warning system", "protected": false, "publish_timestamp": "1773997313", "published": true, "threat_level_id": "3", "timestamp": "1773997312", "uuid": "fda923d4-7ffe-44b9-af91-df9dc810439e", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#26fab6", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Broadcast Receivers - T1624.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Calendar Entries - T1636.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing Policy Modification - T1632.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Contact List - T1636.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1646\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Client Execution - T1658\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Location Tracking - T1430\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1406\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMS Messages - T1636.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1418\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1406.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Uninstall Malicious Application - T1630.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1437.001\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054020", "to_ids": false, "type": "link", "uuid": "3981dcfa-29dc-4fb3-8847-91b2a2f0e1a7", "value": "https://www.acronis.com/en/tru/posts/mobile-spyware-campaign-impersonates-israels-red-alert-rocket-warning-system/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773054020", "to_ids": false, "type": "text", "uuid": "ed1ac391-20f4-4bd8-a932-ee1fe834590b", "value": "A targeted campaign has been identified distributing a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications. The malicious app retains full rocket alert functionality while running malicious code in the background. It bypasses Android security checks through certificate spoofing and runtime manipulation. Once installed, the malware collects sensitive data including SMS messages, contacts, location data, device accounts, and installed applications. The stolen data is transmitted to a remote command-and-control server. This campaign exploits user trust in emergency services during periods of geopolitical tension, combining social engineering with mobile espionage for maximum impact." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773054020", "to_ids": false, "type": "text", "uuid": "ea6bfed3-0c42-4855-bfbf-ef02b221a447", "value": "Name: Mobile spyware campaign impersonates Israel's Red Alert rocket warning system\nAuthor: AlienVault\nAdversary: Arid Viper\nTags: [\"certificate spoofing\", \"android\", \"spyware\", \"red alert\", \"sms\", \"social engineering\"]\nTgtd countries: [\"Israel\"]\nMlwr families: [\"RedAlert.apk\"]\nAttack_ids: []\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773054020", "to_ids": false, "type": "threat-actor", "uuid": "de9b9c96-09c2-455e-9577-cff9800eae15", "value": "Arid Viper" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276993", "to_ids": true, "type": "url", "uuid": "5d8a41a0-0d03-4792-a25f-04ed2d4e5cf2", "value": "https://api.ra-backup.com/analytics/submit.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277014", "to_ids": true, "type": "url", "uuid": "ce3227d1-9804-44a4-929b-c625888f8db2", "value": "https://api.ra-backup.com/analytics/submit.php.", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277036", "to_ids": true, "type": "domain", "uuid": "d7d8eab7-70e5-4276-8845-becaec2a1ab7", "value": "ra-backup.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773277058", "to_ids": true, "type": "hostname", "uuid": "2b4b2ab0-5c01-4368-8df9-a72da7dac80e", "value": "api.ra-backup.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773277080", "uuid": "40069b9e-faa9-4f44-9016-97b8320eec50", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773277080", "to_ids": true, "type": "md5", "uuid": "866c6972-fd29-4b6d-b447-dda4f88c7531", "value": "9c6c67344fecd8ff8dbbee877aad7efc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773276065", "to_ids": true, "type": "sha1", "uuid": "742f633e-8f5c-4ad4-b662-34ccf84c8744", "value": "04ee8594b5101505b92e14777466a62a2f4a2ceb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773276065", "to_ids": true, "type": "sha256", "uuid": "e8147ada-0d99-489a-9fba-bfc955d0e125", "value": "83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773275115", "to_ids": true, "type": "ssdeep", "uuid": "451be4da-5075-4525-bc81-deb31cfa242d", "value": "393216:IQNNTdIbeNstoGDcrz1RfPz3tSfygZ4Cgy7AJknQ7pAnQIBY:IY12tCrfrdSfVcEhdY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773275115", "to_ids": false, "type": "size-in-bytes", "uuid": "250e82a7-7f8a-4f08-aa13-b8699e42d3ac", "value": "23240876" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773275115", "to_ids": true, "type": "vhash", "uuid": "17db82b0-01fb-432e-8727-59affb7e3da5", "value": "730c180d7c495e9d6022cbe718d29b9a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773275115", "to_ids": true, "type": "filename", "uuid": "65008df4-de94-4fab-972b-2c28e43a8f70", "value": "83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72.apk" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 12/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773275115", "to_ids": false, "type": "text", "uuid": "622bfbb6-90b0-432d-a598-03b6395d46a8", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:23/66\nFirst Submission:2026-03-01T12:44:22.000000+00:00\nLast Submission:2026-03-05T08:06:30.000000+00:00" } ] } ] } }