Malware

RedAlert.apk

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566.001Spearphishing AttachmentEvidence2

This campaign weaponizes a legitimate-looking Android package (APK) to deliver mobile surveillance and data-exfiltrating malware.

T1566.003Spearphishing via ServiceEvidence1

Unit 42 has identified an active phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert application... Figure 10. SMS phishing message to download malicious RedAlert application.

Execution

1 technique

T1204User ExecutionEvidence1

"Attackers sent smishing messages urging recipients to download what appeared to be an urgent wartime update... this campaign forced victims to sideload the malicious APK"

Stealth

2 techniques

T1027Obfuscated Files or InformationEvidence1

"Stage 2 extracts a hidden file named 'umgdn' — stored without a file extension inside the APK’s assets directory — and loads it into memory as a Dalvik Executable"

T1036MasqueradingEvidence1

"threat actors crafted a trojanized version of Israel’s official 'Red Alert' emergency app... once installed, the fake app displayed a fully working alert interface identical to the official one"

Command and Control

2 techniques

T1071.001Web ProtocolsEvidence1

"transmitted to attacker-controlled servers through HTTP POST requests directed at https://api[.]ra-backup[.]com/analytics/submit.php"

T1105Ingress Tool TransferEvidence1

"Attackers sent smishing messages urging recipients to download... RedAlert.apk"

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

"Harvested data was staged locally before being transmitted to attacker-controlled servers through HTTP POST requests"

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

cyber security newsNews

Mar 5, 2026

RedAlert Mobile Espionage Campaign Targets Civilians with Trojanized Rocket Alert App for Surveillance

Trojanized Android APK impersonating Israel’s official Red Alert emergency app. It is delivered via smishing to induce sideloading, then requests high-risk permissions (SMS, contacts, precise location), harvests and stages data locally, and exfiltrates it via HTTP POST to attacker infrastructure. Uses multi-stage loading (hidden asset loaded as DEX; final payload DebugProbesKt.dex) and evasion (Package Manager Hooking/Java reflection to spoof certificate and Play Store install source) to reduce detection while enabling surveillance and C2 communications.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.