Hamas-Linked Spyware Targets Israelis via Fake Emergency-Alert App
Security researchers at Acronis Threat Research Unit (TRU) uncovered a cyberespionage campaign distributing spyware disguised as Israel’s official Red Alert rocket warning app. The attack, detected on March 1, leverages SMS phishing messages impersonating the Oref Alert service, urging recipients to install a malicious "update" via a shortened bit.ly link.
The malware, attributed to the Hamas-aligned group Arid Viper (also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion), bypasses Android security by spoofing Google Play certificates and installer sources. Once installed, it requests 20 permissions, including access to GPS location, SMS messages, contacts, and device accounts. The spyware also enables phishing overlays to intercept credentials and one-time passwords, while maintaining persistence through device reboots. Stolen data is transmitted to a remote command-and-control server.
The campaign appears indiscriminate, with warnings issued by Israel’s National Cyber Directorate and major news outlets. Researchers note that such attacks often escalate during military conflicts, using emergency alerts as social engineering lures to gather intelligence. Previous operations by Arid Viper have targeted Israeli users across Android, iOS, and Windows platforms since at least 2013. The incident highlights the growing role of cyber operations as a parallel intelligence-gathering tool in geopolitical conflicts.
Source: https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
Israel National Cyber Directorate - מערך הסייבר הלאומי cybersecurity rating report: https://www.rankiteo.com/company/israelcyber
Orefice & Caliri, CPAs cybersecurity rating report: https://www.rankiteo.com/company/orefice-&-caliri-cpas
"id": "ISRORE1772829825",
"linkid": "israelcyber, orefice-&-caliri-cpas",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Israel',
'name': 'Israeli citizens',
'type': 'Individuals'}],
'attack_vector': 'SMS Phishing',
'customer_advisories': 'Warnings issued by major news outlets',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Credentials, '
'One-Time Passwords (OTP), '
'Location Data'},
'date_detected': '2024-03-01',
'description': 'Security researchers at Acronis Threat Research Unit (TRU) '
'uncovered a cyberespionage campaign distributing spyware '
'disguised as Israel’s official *Red Alert* rocket warning '
'app. The attack, detected on March 1, leverages SMS phishing '
'messages impersonating the *Oref Alert* service, urging '
"recipients to install a malicious 'update' via a shortened "
'bit.ly link. The malware, attributed to the Hamas-aligned '
'group *Arid Viper*, bypasses Android security by spoofing '
'Google Play certificates and installer sources. Once '
'installed, it requests 20 permissions, including access to '
'GPS location, SMS messages, contacts, and device accounts. '
'The spyware also enables phishing overlays to intercept '
'credentials and one-time passwords, while maintaining '
'persistence through device reboots. Stolen data is '
'transmitted to a remote command-and-control server.',
'impact': {'data_compromised': 'GPS location, SMS messages, contacts, device '
'accounts, credentials, one-time passwords',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'Android devices'},
'initial_access_broker': {'backdoors_established': 'Spyware persistence '
'through device reboots',
'entry_point': 'SMS Phishing (Fake App Update)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident highlights the growing role of cyber '
'operations as a parallel intelligence-gathering tool in '
'geopolitical conflicts, and the use of emergency alerts '
'as social engineering lures.',
'motivation': 'Intelligence Gathering',
'post_incident_analysis': {'root_causes': 'Social engineering via fake '
'emergency-alert app, spoofed '
'Google Play certificates, '
'excessive permissions requested by '
'malware'},
'references': [{'source': 'Acronis Threat Research Unit (TRU)'}],
'response': {'communication_strategy': 'Warnings issued by Israel’s National '
'Cyber Directorate and major news '
'outlets',
'law_enforcement_notified': 'Israel’s National Cyber Directorate',
'third_party_assistance': 'Acronis Threat Research Unit (TRU)'},
'stakeholder_advisories': 'Warnings issued by Israel’s National Cyber '
'Directorate',
'threat_actor': 'Arid Viper (APT-C-23, Desert Falcons, Two-tailed Scorpion)',
'title': 'Hamas-Linked Spyware Targets Israelis via Fake Emergency-Alert App',
'type': 'Cyberespionage',
'vulnerability_exploited': 'Social Engineering (Fake App Update)'}