Fake ‘RedAlert’ rocket alert app for Israel installs Android spyware

RedAlert app

Israeli Android users are targeted by a malicious version of the ‘RedAlert – Rocket Alerts’ app that, while it offers the promised functionality, acts as spyware in the background.

RedAlert – Rocket Alerts is a legitimate open-source app used by Israeli citizens to receive notifications of incoming rockets targeting the country. The app is highly popular, with over a million downloads on Google Play.

Since Hamas terrorists launched their attack in South Israel last week, involving thousands of rockets, interest in the app has exploded as people sought timely warnings about incoming airstrikes in their area.

According to Cloudflare, hackers of unknown motivation and origin are leveraging the elevated interest in the app and the fear of the attacks to distribute a fake version that installs spyware.

This malicious version is being distributed from the website “redalerts[.]me,” which was created on October 12, 2023, and includes two buttons to download the app for the iOS and Android platforms. 

The iOS download redirects a user to the legitimate project’s page on the Apple App Store, but the Android button directly downloads an APK file to be installed on the device.

Fake site used for distributing spyware
Fake site used for distributing spyware (Cloudflare)

Spyware alert

The downloaded APK uses the legitimate code of the real RedAlert app, so it contains all the regular functionality and appears as a legitimate rocket alert tool.

However, Cloudflare found that the application requests additional permissions from the victims, including access to the user’s contacts, numbers, SMS content, list of installed software, call logs, phone IMEI, logged-in email and app accounts, and more.

Upon launch, the app initiates a background service that abuses these permissions to collect data, encrypt it with AES in CBC mode, and upload it to a hardcoded IP address.

Functions to gather data from infected device
Code to gather data from infected
Read More ...

Two fake Android apps need to be uninstalled now to ensure your Android phone is protected

UPDATE: It appears both apps have been removed from the Play Store by Google, but it’s still advised that you check if you didn’t happen to install them on your phone by accident.

One simple tip you can follow when you want to get a particular app, in order to make sure you’re getting the legitimate one, is to check the name of the developer who’s published the app in the App Store or Play Store. This is the easiest way to ensure you’re about to download the correct app. If the name of the developer isn’t what you’d expect it to be, at the least it’s worth double checking if the app is the right one. Another telltale sign are user reviews and ratings: it’s always a smart move to take a quick glance at any user feedback left, because bogus apps would often have negative reviews or low ratings. The original story follows below…

If you installed two apps on your Android phone that you thought were messaging apps Signal and Telegram, delete them immediately if not sooner. Per BGR, the two apps are Signal Plus Messenger and FlyGram and have subsequently been removed from the Play Store, the Galaxy Store, and third-party app storefronts from where they were sideloaded (installed from third-party app storefronts) on Android phones.

Bogus versions of the Signal and Telegram messenger apps were installed from the Play Store and Galaxy Store

But these apps were not removed before Signal Plus Messenger was listed for nine months in the Play Store and it was installed over 100 times before Google yanked it out of its app storefront. Thank Google for Play Protect, but it obviously isn’t always nimble enough in removing malicious apps. FlyGram was created by the same developer and removed

Read More ...