Pierluigi Paganini October 17, 2023

Threat actors are targeting Israeli Android users with a malicious version of the ‘RedAlert – Rocket Alerts’ that hide spyware.

A threat actor is targeting Israeli Android users with a spyware-laced version of the ‘RedAlert – Rocket Alerts’ app, Cloudflare warns.

RedAlert – Rocket Alerts is a mobile app that provides real-time alerts about incoming rocket attacks in Israel. It is developed by a team of volunteers and is based on real-time data provided by the Home Front Command (Pikud Haoref). The app is highly popular, with over a million downloads on Google Play.

In the wake of the Israel-Gaza conflict, more than 5,000 rockets have been launched into Israel since the attacks from Hamas began on October 7th 2023. For this reason, the RedAlert – Rocket Alerts app is a valuable tool for Israeli citizens because it provides them precise alerts about incoming airstrikes.

The legitimate app is available on Google Play and has over a million downloads on

On October 13, 2023, Cloudflare’s Cloudforce One Threat Operations Team discovered a website hosting a malware-laced version of RedAlert – Rocket Alerts application. 

The website hxxps://redalerts[.]me was created on October 12, 2023, the domain differs from the legitimate website by only one letter (‘s’).

The domain displays two buttons to download the app, respectively, for the iOS and Android mobile OSs. 

Upon choosing the iOS download, the users are redirected to the legitimate project’s page on the Apple App Store, while the Android button starts the download of the rogue APK file.

The APK borrows the open-source code of the RedAlert app, which was modified to include the attackers’ malicious code.

“The malicious RedAlert version imitates the legitimate rocket alert application but simultaneously collects sensitive user data. Additional permissions requested by the malicious app include access to contacts, call logs, SMS, account information, as well as an overview of all installed apps.” reads the advisory published by Cloudflare.

Once the app has collected user data, the malware uploads it to an HTTP server at a hardcoded IP address.

The malicious app supports anti-analysis capabilities, including anti-debugging, anti-emulation, and anti-test operations.

The website hosting the rogue RedAlert app was offline at the time of this publishing.

For users who have installed RedAlert on their devices, they can determine whether they have been compromised by checking for extraneous permissions, such as:

• Call Logs
• Contacts
• Phone
• SMS

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)