Hamas-linked threat actors are distributing spyware disguised as a trojanized version of Israel's Red Alert rocket warning app via SMS phishing. Discovered by Acronis TRU on March 1, the campaign uses spoofed sender IDs and bit.ly links to redirect users to a malicious APK that requests 20 permissions, including real-time GPS tracking, SMS access, contact harvesting, and phishing overlay capabilities. The malware spoofs Google Play certificates to bypass Android security checks and persists across reboots, continuously sending stolen data to a C2 server. The campaign is attributed to Arid Viper (APT-C-23), a Hamas-aligned cyberespionage group active since at least 2013.
Sort: