Security researchers have uncovered a spyware campaign that masquerades as an emergency alert application, specifically targeting Israeli smartphones through SMS messages. The malicious software is a trojanized version of the widely used Red Alert rocket app, which many Israelis rely on for real-time alerts.
Discovery and Initial Reports
The Acronis Threat Research Unit (TRU) analysts first identified the spyware on March 1, 2026, after numerous reports surfaced on social media from citizens who encountered the scam. TRU senior security researcher Eliad Kimhy noted that the full extent of the campaign remains unclear, stating, “At the moment there’s no way to know for sure what the scope or size is, or how many infections were successful.” This uncertainty is compounded by warnings issued by the Israeli National Cyber Directorate and major Israeli news outlets, indicating a potentially broad and indiscriminate attack.
Method of Attack
The spyware campaign is believed to be linked to a Hamas-aligned cyberespionage group known as Arid Viper, which has been active since at least 2013. This group typically targets Israeli individuals with surveillance malware across various platforms, including Android, iOS, and Windows. The attackers utilized SMS messages that impersonated the official “Oref Alert” rocket warning service, employing spoofed sender IDs to deceive recipients into installing what they believed was an updated version of the emergency alert app.
Malware Functionality and Permissions
Upon installation, the spyware requests a total of 20 permissions, with six particularly concerning permissions that enable real-time access to users’ precise GPS locations, SMS messages, contact lists, and accounts stored on the device. Additionally, the malware can create phishing overlays on other applications, allowing attackers to intercept sensitive information such as one-time passwords and credentials. The spyware maintains persistence on infected devices by automatically launching after a reboot, continuously transmitting stolen data to the attackers’ remote command-and-control server.
Context of Cyber Operations
TRU lead security researcher Santiago Pontiroli emphasized the correlation between periods of military escalation in the region and increased cyber operations. He noted that previous conflicts have often triggered campaigns by hacktivists and espionage-focused actors who exploit the situation. Pontiroli stated, “Attackers frequently leverage wartime themes such as emergency alerts, missile warnings, or security updates as social engineering lures to distribute surveillance malware and collect sensitive information.” This incident highlights the evolving landscape of cyber operations, which increasingly serve as an intelligence-gathering tool alongside traditional conflicts.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
