Mobile and Messaging Scams Use Impersonation and Urgency to Steal Credentials and Data
Acronis researchers reported a deceptive Android campaign targeting Israeli users with a trojanized version of the Red Alert rocket-warning app distributed via SMS messages impersonating Israel’s Home Front Command. The fake app displays legitimate rocket alerts to reduce suspicion while requesting extensive permissions that enable GPS tracking, SMS interception (including one-time passwords), contact harvesting, installed-app enumeration, and account discovery; collected data is exfiltrated to a remote server, and the operators used certificate spoofing to make the installation appear as if it came from Google Play.
Separate consumer-focused advisories described multiple social-engineering/phishing lures delivered via text, email, and calendar invites: an “Amazon recall” SMS that pushes victims to a credential-harvesting site for “refunds,” an “Apple Security Alert” pop-up/text/email that attempts to drive victims to call a fraudulent support number or surrender credentials/2FA/payment details, and a trend of fake calendar invitations increasingly appearing in Microsoft Outlook (previously more common in Gmail) using urgent subjects (e.g., “Final Notice”) and domain-reconnaissance to personalize invites; the Outlook example noted mixed authentication signals (DMARC/SPF/DKIM pass/fail across relays), underscoring that users and defenders should treat unsolicited invites and urgent account/payment prompts as high-risk even when messages appear superficially legitimate.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
DWP text scam impersonates UK benefits payments to steal financial details
By 2026-03-22, scammers were sending SMS messages posing as the UK Department for Work and Pensions and promising winter fuel payments, energy support, or living subsidies. The texts used urgent language, fake deadlines, and malicious links to trick recipients into disclosing personal, bank, or card information.
Amazon recall scam text lures victims to fake Amazon login page
By 2026-03-07, an SMS phishing campaign was using fake Amazon product recall notices to create urgency and drive recipients to a counterfeit Amazon sign-in page. The scam aimed to steal account credentials and possibly two-factor authentication codes for account takeover.
Apple security alert scam impersonates Apple to push phone-call fraud
By 2026-03-06, scam messages were circulating that falsely claimed an Apple device was hacked or tied to a suspicious Apple Pay transaction. The alerts used urgency and a callback number to pressure targets into contacting scammers and potentially disclosing sensitive information.
Outlook calendar invite phishing uses QR code to steal Microsoft 365 logins
By 2026-03-06, a phishing campaign was observed abusing Microsoft Outlook calendar invitations with lures such as "Final Notice: Payroll Acknowledgement Required." The invite carried a PDF with a QR code leading through a .dev site and CAPTCHA gate to a fake Microsoft 365 login page designed to harvest credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
DWP Text Scam Message
onlinethreatalerts.com
Open sourceAmazon Recall Scam Text
onlinethreatalerts.com
Open sourceFake Calendar Invitations Move to Microsoft Outlook
blog.knowbe4.com
Open sourceApple Security Alert Scam Message
onlinethreatalerts.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
Mar 21, 2026
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
Mar 21, 2026
Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning **Android banking malware**, **iOS credential-harvesting via App Store listings**, and **Android espionage via trojanized crisis apps**. A new Android banking trojan marketed as **Mirax Bot** was advertised on underground forums as a **Malware-as-a-Service (MaaS)** offering, with claimed capabilities including **700+ app injects**, **Hidden VNC (HVNC)** for stealthy remote control, and features positioned for **account takeover (ATO)** and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described **PromptSpy**, characterized as an Android threat that uses **generative-AI techniques** to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device. In parallel, a phishing operation targeted iPhone users by impersonating **ChatGPT** and **Google Gemini** in emails that directed victims to **fraudulent iOS apps hosted on Apple’s App Store**; the apps (including *GeminiAI Advertising* `id6759005662` and *Ads GPT* `id6759514534`) presented a fake **Facebook login** flow to harvest credentials. Another campaign, **RedAlert**, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as `RedAlert.apk` via **SMS phishing (smishing)**, pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., **SMS**, contacts, precise **GPS**) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
Mar 24, 2026