Iranian APT Deploys Fake RedAlert App to Surveil Israeli Users

Iranian threat actors are distributing a weaponized version of Israel's Home Front Command RedAlert application to deploy mobile surveillance malware on Android devices. Unit 42 researchers identified the campaign as part of a broader escalation in Iranian cyber operations during March 2026.

The legitimate RedAlert app warns Israeli citizens of incoming rocket attacks and other threats. The trojanized version mimics this functionality while silently harvesting sensitive data and enabling persistent surveillance.

How the Attack Works

Attackers distribute the malicious APK via SMS phishing messages that direct recipients to download "updated" versions of RedAlert from attacker-controlled domains. The messages exploit urgency, claiming users need the latest version for accurate alerts.

Once installed, the fake app:

• Requests permissions similar to the legitimate app (location, notifications, network access)
• Displays functional alert interfaces to maintain the illusion
• Exfiltrates device data including contacts, call logs, and SMS messages
• Tracks location continuously
• Establishes persistent command-and-control communication

The social engineering is effective because the legitimate app genuinely requires permissions for location-based alerts. Users expecting those requests are less likely to recognize malicious intent.

Broader Iranian Cyber Campaign

This mobile malware operation is one component of an intensified Iranian cyber campaign following military operations on February 28, 2026. Unit 42's threat brief identifies multiple state-aligned groups operating simultaneously.

Key threat actors involved:

Handala Hack, linked to Iran's Ministry of Intelligence and Security (MOIS), has claimed compromises against Israeli energy companies and Jordan's fuel systems. The group has escalated beyond data theft to include death threats against Iranian-American and Iranian-Canadian influencers.

Cyber Islamic Resistance operates as an umbrella coordinating multiple hacktivist teams, claiming compromises of drone defense systems and Israeli payment infrastructure.

FAD Team (Fatimiyoun Cyber Team) specializes in wiper malware and permanent data destruction, claiming unauthorized access to multiple SCADA/PLC systems.

This mirrors the Russian intelligence phishing campaigns targeting Signal and WhatsApp users we reported last week. Nation-state actors are increasingly targeting mobile messaging platforms where high-value targets communicate.

Hacktivist Surge

Unit 42 estimates over 60 hacktivist groups have been active in the conflict zone since early March 2026, including multiple pro-Russian collectives joining Iranian-aligned operations.

The "Electronic Operations Room" formed on February 28 appears to coordinate between these groups, suggesting more organized command structure than typical hacktivist activity.

Targeted sectors include:

• Defense and military systems
• Healthcare networks
• Energy infrastructure
• Financial institutions
• Government agencies across the region

The APT36 campaign against India using AI-generated malware shows how nation-state actors are adapting tactics. Mobile platforms have become primary targets because they contain personal communications and are often less protected than enterprise systems.

Protecting Against Mobile Threats

For users in affected regions:

1. Download apps only from official stores - The Play Store isn't perfect, but it's better than APKs from SMS links
2. Verify app publishers - Check that security apps come from official government or known security vendors
3. Review permission requests - Even legitimate apps shouldn't need all permissions immediately
4. Use mobile threat defense - Enterprise MDM solutions can detect known malicious APKs
5. Be skeptical of urgency - Phishing attacks exploit time pressure to bypass critical thinking

For organizations:

• Block known C2 infrastructure at the network level
• Implement app allowlisting on managed devices
• Train employees on mobile phishing recognition, especially in high-risk regions
• Monitor for unusual app installations or permission grants

The campaign demonstrates how attackers weaponize trusted applications during crises. When people are genuinely worried about physical safety, they're more likely to install software that claims to protect them.