Table of Contents
Threat Actors Target Israeli Rocket Alert Applications
In the midst of the Israel-Gaza conflict, and significant rocket activities, threat actors have taken advantage of the situation to spread mobile spyware and fear among Israeli residents. They did this by targeting Israeli rocket alert applications, which a large number of Israelis rely on to get timely information on incoming airstrikes, and thus find safety.
Spyware Masquerading as an Android Application for Rocket Alerts
One of the strategies used by these threat actors was to create a malicious version of the ‘RedAlert – Rocket Alerts' mobile application. The application, developed by Elad Nava, and renowned for its open-source structure, was transformed into a tool for infecting users with spyware. This was achieved by a well-executed typosquatting tactic where a fake domain listed both the iOS and Android versions of the mobile application. For the iOS versions, they linked back to the legitimate App Store page, but for the Android versions, the fake site served a manipulated variation of the Android software.
Mobile Spyware Spread Intent to Incite Fear
The malicious mobile application was not just built to spread spyware, it was also used as an instrument of fear. Its makeup included the original code, but with additional capacity to collect sensitive user information. The information includes contacts, calls log, messages, account details, SIM specifics, and a list of installed apps. In addition to these, the hacked application launched a background service that enabled the remote data harvest from devices. All the amassed data were then transferred to a remote server over HTTP. Although encrypted, it was observed that the use of RSA with a public key incorporated in the app could allow anyone who intercepted the packages to decrypt the information.
Pro-Palestinian Hacktivist Group AnonGhost Confirms Targeting Rocket-Alerting Apps
Pro-Palestinian hacktivist group, AnonGhost, took it a step further by openly acknowledging their targeting of various rocket alerting apps. They accomplished this by exploiting a vulnerability in the ‘Red Alert: Israel' application developed by Kobi Snir. The group was successful in compromising this app, intercepting requests, and revealing APIs and servers. They took it to the disturbing extreme of sending faux alerts to users, including nuclear bomb messages, via this compromise.
Exploitation and Compromise of 'Red Alert: Israel' Application
One significant instance of this cyber intrusion involved the 'Red Alert: Israel' application, developed by Kobi Snir, which was targeted and exploited. The pro-Palestinian hacktivist group, AnonGhost, was able to take advantage of a vulnerability in the application to further their agenda.
Fake Alert Dispatches Including Nuclear Bomb Messages on 'Red Alert: Israel' Application
After the successful compromise of the application, AnonGhost used it as a tool to dispatch false alerts to the users, thereby fueling panic and causing additional distress amidst the ongoing conflict. The level of false information spread even included alerts of incoming nuclear bomb threats, a move designed to amplify fear and anxiety among the app users.
Interception of Requests and Exposure of APIs and Servers
Aside from dispatching false alerts, the hacktivist group went ahead to further compromise the application by intercepting requests, thus gaining access to sensitive operations of the app. This exploit allowed them an in-depth peek into the application's structures, leading to the exposure of APIs and servers associated with the 'Red Alert: Israel' application. The exposure of such sensitive data opens up more potential vulnerabilities and creates pathways for other threat actors to potentially exploit.
Creation and Spreading of Malicious Version of 'RedAlert – Rocket Alerts'
Undeterred by the existing turmoil, threat actors went deeper into their bag of malevolent tricks to create and spread a malicious version of the 'RedAlert – Rocket Alerts' application. The target: unsuspecting users, many of whom were already anxious due to the hostile environment.
Creation of Fake Website Hosting Malicious Version of the Application
A nefarious tactic, enacted on October 12, involved the creation of a website that hosted a deceitful version of the 'RedAlert – Rocket Alerts' mobile application. The app, which was originally created by Elad Nava as an open-source mobile application, was manipulated with the intent to introduce spyware into user devices. This rogue website was cloaked as a reliable platform, even though it harbored malicious intent.
Typosquatting Used to Serve Android Users a Modified 'RedAlert – Rocket Alerts' Application
A sophisticated maneuver known as typosquatting was employed to dupe users into downloading the modified application. The malevolent domain listed both iOS and Android versions of the 'RedAlert – Rocket Alerts' mobile application which would have seemed like business-as-usual to unsuspecting users. While it linked rightful users to the legitimate App Store page for the iOS variant, it served a modified version of Android software to Android users. This way, they were able to spread the malicious application to Android users undetected.
Malicious Application’s Abilities to Collect Extensive User Details and Deliver Spyware
More than merely duplicating the legitimate application, the malicious variant was reengineered to harvest sensitive user information, including but not limited to contacts, call logs, messages, account details, SIM details, and a comprehensive list of installed applications. In addition to these, the malicious version of the application was programmed to launch a service in the background, enabling it to harvest data from the device silently. The amassed data would then be sent to a remote server over HTTP, accentuating the depth of the privacy invasion.
Security Measures Taken and Advice for Affected Users
In response to this cyberattack on the vulnerabilities of the 'RedAlert – Rocket Alerts' application, there were several protective measures implemented and advice given to users who had potentially been affected by the spyware intrusion.
Deactivation of the Website Hosting the Malicious Version
The imminent security threat was identified and the website, which was designed to host the malicious version of the RedAlert application, has since been deactivated. This step was vital to prevent the further downloading and spreading of the spyware-laden application to more users. However, users who had already installed the compromising software remain at risk, owing to the data harvesting capabilities of the malicious application.
Recommendations for Users for Identifying and Cleaning Up from Possible Spyware Infection
In the event where users may have unknowingly downloaded the manipulated application and are potentially infected by the spyware, some precautionary steps were provided for them to determine and rectify the situation. One such suggestion was for users to examine the permissions requested by the software on their devices. Should the software have gained access to call logs, contacts, phone, and SMS data, users should immediately act to cleanse their devices, as these may be indicative signs of the violation.
Additionally, users were advised to strengthen their screen lock passwords as a preventative step against potential stalkerware. Two-factor authentication on email and other online accounts was also suggested to further fortify personal data protection. In the US, victims can also access resources like the National Domestic Violence Hotline and the Coalition Against Stalkerware for specialized assistance.
