Spoofed Rocket Alert App Targets Israeli Android Users with Spyware
As violence and protests spread in the chaotic war between Israel and Hamas, evidence of the parallel battle going on in cyberspace continue to emerge.
It started almost immediately after the initial bloody incursion by Hamas fighters into southern Israel October 7, with cybersecurity experts detecting multiple threat groups launching cyberattacks, including distributed denial-of-service (DDoS) campaigns against Israeli warning systems.
Less than a week after the conflict started, researchers with cloud cybersecurity vendor Cloudflare wrote about a spoofed version of an open source mobile app used by Israelis to warn of incoming rockets, an important tool given that more than 5,000 rockets have been fired into the country since the fighting began.
The vendor’s Cloudforce One Threat Operation Team discovered a website hosting a malicious version of the “RedAlert – Rocket Alerts” app, an open source mobile tool created by Elad Nava that delivers “timely and precise alerts about incoming airstrikes,” researchers Blake Darché, Armen Boursalian, and Javier Castro wrote in a report.
“Many people living in Israel rely on these alerts to seek safety – a service which has become increasingly important given the newest escalations in the region,” they wrote.
Slight Change, Big Problems
In the domain impersonation campaign, the malicious website issued an advertisement luring users to download the RedAlert app. However, the threat actors’ website – redalerts[.]me – is off by a single letter to the legitimate site, redalert[.]me. In addition, the bad actors deployed modified and malicious versions of the open source code to users.
The malicious website had links to both the Apple iOS and Android versions of the malicious RedAlert app. The link to the Apple App Store pointed to a legitimate version of RedAlert. However, users who clicked the link for the Android version hosted on the Play Store instead were infected with spyware
“The malicious RedAlert version imitates the legitimate rocket alert application but simultaneously collects sensitive user data,” the researchers wrote. “Additional permissions requested by the malicious app include access to contacts, call logs, SMS, account information, as well as an overview of all installed apps.”
The stolen data is uploaded via a Connector class that the threat actor has written and which is used to encrypt the data and upload it to a HTTP server.
The malicious app also includes several tactics used to avoid detection, including ways to determine if the application is being debugged and whether a test user – referred to as a “monkey” – is using the app. In addition, the app also looks for certain files and identifiers to see whether it is being run in an emulated environment.
Delete the Malicious App
The malicious site was spun up October 12 and has since been taken offline, but some victims who downloaded the illegitimate app may still have it on their mobile phones and should delete it. They can determine this by seeing whether the extraneous permissions added by the bad actor appear on the app, including call logs, contacts, phone, and SMS.
“If users are unsure whether they installed the malicious version, they can delete the RedAlert applications and reinstall the legitimate version directly in the Play Store,” Darché, Boursalian, and Castro wrote.
Domain Impersonation is a Problem
This wasn’t the first attack on the RedAlert app. Soon after the Hamas attack began, the hactivist group AnonGhost exploited an API flaw in the software to intercept requests and expose vulnerable servers and APIs. They also used Python scripts to send spam messages to some users, including fake messages about a nuclear bomb, according to cybersecurity company Group-IB.
The Cloudflare researchers wrote that “this [domain impersonation] attack demonstrates the danger of sideloading applications directly from the Internet as opposed to installing applications from the approved app store.”
Such campaigns are an ongoing problem. Cybersecurity company Tripwire wrote in a report earlier this month that during the first half of the year, brands were targeted by an average of 39.4 lookalike domains each month. From January to May, the monthly averages ranged from 27.29 to 37.23 spoofed domains, but those average jumped by 120% in June.
“One factor contributing to this growth is an increase in lookalike domains targeting certain industries, including the technology, retail, manufacturing, and financial sectors,” the company wrote. “This is also reflected in a significant jump in attacks on a top three webmail provider.”
