A targeted smishing campaign has been identified in which Israeli users received SMS messages impersonating official Home Front Command alerts and distributing a trojanized version of Israel’s Red Alert rocket warning Android app.

The malicious app preserves the legitimate rocket alert functionality, making it harder for users to detect, while also collecting sensitive data in the background. This includes SMS messages, contacts, location data, device accounts and information on installed apps.

The campaign was discovered on March 1, 2026, after Israeli citizens reported spoofed “Oref Alert” SMS messages containing shortened links and claims of app malfunction.

The APK uses a dual-stage loader that extracts and runs a legitimate version of the app as cover while requesting dangerous permissions. Once granted, it can access SMS databases, extract contacts with phone numbers and emails, track GPS location with geofencing logic, collect account information, and enumerate installed apps for exfiltration to a command-and-control server.

The malware also uses multiple evasion techniques, including spoofing signatures to resemble Google Play installs, overriding Android runtime fields for persistence, and triggering certain behaviors based on location. Obfuscation and dynamic method invocation make detection more difficult.

The campaign raises the risk of theft of OTPs, credentials and user profiles, particularly during periods of conflict-related tension.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!