Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving Android threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to runtime manipulation using the LSPosed framework, where a malicious module (e.g., Digital Lutera) hooks SmsManager and TelephonyManager to undermine India’s UPI SIM-binding controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to Telegram; it also uses Socket.IO for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover.
Separately, Acronis TRU (reported by Hackread) identified a fake Red Alert rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal GPS location, SMS/OTP, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via certificate spoofing and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, SurxRAT, that can download and run LLM modules from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., Play Integrity API with MEETS_STRONG_INTEGRITY) where applicable.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Zimperium reports SurxRAT using downloadable LLM modules
Zimperium described SurxRAT as a new Android remote-access trojan able to download and execute large language model modules from third-party repositories. According to the report, the modules can automate phishing, social engineering, and interaction with on-device apps to steal credentials and other sensitive data.
CloudSEK documents LSPosed-based UPI fraud technique
CloudSEK reported an Android financial-fraud method using a malicious LSPosed module called "Digital Lutera" to intercept UPI SIM-binding tokens, spoof phone identity, inject forged SMS records, and exfiltrate data to Telegram. The report linked the activity to a Telegram persona known as "Berlin" and described targeting of Indian payment and banking defenses.
Acronis links fake Red Alert spyware to Arid Viper TTP overlap
In its analysis of the campaign, Acronis assessed the operators as potentially linked to Arid Viper (APT-C-23) based on overlapping tactics, techniques, and procedures. The report also noted certificate spoofing and attempts to make the app appear as if it had been installed from Google Play.
Acronis discovers fake Red Alert app campaign targeting Israelis
Acronis Threat Research Unit discovered on 2026-03-01 an Android espionage campaign using SMS messages impersonating Israel’s Home Front Command to push a trojanized Red Alert rocket-warning app. The fake app showed legitimate alerts while covertly stealing data such as SMS/OTP messages, contacts, GPS location, app inventory, and registered account details.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Weaponizing LSPosed: Remote SMS Injection and Identity Spoofing in Modern Payment Ecosystems | CloudSEK
cloudsek.com
Open sourceSurxRAT Shows How Mobile Malware Can Leverage Large-Language Models
zimperium.com
Open sourceHackers Spread Fake Red Alert Rocket Alert App to Spy on Israeli Users
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Malware Leveraging Legitimate Apps for Surveillance and Theft
Threat actors have increasingly adopted sophisticated techniques to distribute Android malware by disguising malicious applications as legitimate ones on the Google Play Store and other platforms. Notably, the new Cellik Android RAT has been identified as turning legitimate Google Play apps into surveillance tools, enabling attackers to covertly monitor and exfiltrate sensitive user data. In parallel, operations involving the Wonderland SMS stealer have merged dropper, SMS theft, and RAT capabilities at scale, with attackers using fake Google Play Store pages, ad campaigns, and messaging apps to propagate malware, particularly targeting users in Uzbekistan. These campaigns often leverage Telegram for coordination and distribution, and employ advanced methods such as intercepting OTPs and exfiltrating contact lists to facilitate financial theft and evade detection. The evolution of Android malware now includes the use of droppers that appear harmless but deploy malicious payloads locally after installation, even without an active internet connection. The Wonderland malware, attributed to the TrickyWonders group, demonstrates bidirectional command-and-control communication, allowing real-time execution of commands and theft of SMS messages. The convergence of these techniques highlights a growing trend in mobile threat operations, where attackers exploit the trust in legitimate app platforms and social engineering to compromise devices, steal credentials, and siphon funds from victims' bank accounts.
Mar 21, 2026
Mobile and Messaging Scams Use Impersonation and Urgency to Steal Credentials and Data
Acronis researchers reported a deceptive Android campaign targeting Israeli users with a trojanized version of the *Red Alert* rocket-warning app distributed via SMS messages impersonating Israel’s Home Front Command. The fake app displays legitimate rocket alerts to reduce suspicion while requesting extensive permissions that enable **GPS tracking**, **SMS interception (including one-time passwords)**, contact harvesting, installed-app enumeration, and account discovery; collected data is exfiltrated to a remote server, and the operators used **certificate spoofing** to make the installation appear as if it came from Google Play. Separate consumer-focused advisories described multiple **social-engineering/phishing** lures delivered via text, email, and calendar invites: an “Amazon recall” SMS that pushes victims to a credential-harvesting site for “refunds,” an “Apple Security Alert” pop-up/text/email that attempts to drive victims to call a fraudulent support number or surrender credentials/2FA/payment details, and a trend of **fake calendar invitations** increasingly appearing in Microsoft Outlook (previously more common in Gmail) using urgent subjects (e.g., “Final Notice”) and domain-reconnaissance to personalize invites; the Outlook example noted mixed authentication signals (DMARC/SPF/DKIM pass/fail across relays), underscoring that users and defenders should treat unsolicited invites and urgent account/payment prompts as high-risk even when messages appear superficially legitimate.
Mar 23, 2026
Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning **Android banking malware**, **iOS credential-harvesting via App Store listings**, and **Android espionage via trojanized crisis apps**. A new Android banking trojan marketed as **Mirax Bot** was advertised on underground forums as a **Malware-as-a-Service (MaaS)** offering, with claimed capabilities including **700+ app injects**, **Hidden VNC (HVNC)** for stealthy remote control, and features positioned for **account takeover (ATO)** and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described **PromptSpy**, characterized as an Android threat that uses **generative-AI techniques** to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device. In parallel, a phishing operation targeted iPhone users by impersonating **ChatGPT** and **Google Gemini** in emails that directed victims to **fraudulent iOS apps hosted on Apple’s App Store**; the apps (including *GeminiAI Advertising* `id6759005662` and *Ads GPT* `id6759514534`) presented a fake **Facebook login** flow to harvest credentials. Another campaign, **RedAlert**, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as `RedAlert.apk` via **SMS phishing (smishing)**, pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., **SMS**, contacts, precise **GPS**) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
Mar 24, 2026