Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 09, 2026 · 5 min read

That Emergency Alert Was Spyware—A Hamas Group Trojanized Israel's Rocket Warning App

Arid Viper distributed a fully functional fake version of the Red Alert rocket app that spies on users in real time while still showing legitimate warnings.

On March 1, 2026, researchers at the Acronis Threat Research Unit identified a spyware campaign targeting Israeli smartphone users through one of the most cynical attack vectors imaginable: a trojanized version of the Red Alert rocket warning app, used by millions of Israelis to receive life saving notifications about incoming missile strikes. The malware was attributed to Arid Viper, a Hamas aligned cyberespionage group active since at least 2013.

Smartphone displaying a fake emergency alert notification used to distribute spyware

How the Attack Works

The campaign begins with SMS messages that impersonate the Oref Alert service, Israel's Home Front Command emergency notification system. The messages use spoofed sender IDs to appear legitimate, urging recipients to install a critical update through a shortened bit.ly link. The link does not lead to Google Play. Instead, it downloads a malicious APK directly to the user's device.

What makes this attack particularly dangerous is that the trojanized app retains full rocket alert functionality. It actually works as an emergency warning system while running malicious code in the background. A user who installs it will continue receiving legitimate alerts, giving them no reason to suspect anything is wrong.

The app requests 20 Android permissions during installation. Six of them are especially dangerous, granting the operator access to precise GPS location, SMS messages, contact lists, and accounts stored on the device. It also creates phishing overlays on top of other applications, intercepting one time passwords, credentials, and account numbers as the user types them into banking or email apps.

What the Spyware Steals

Once installed, the malware operates as a full surveillance tool. According to Acronis researchers, the app collects:

  • Real time GPS location data, transmitted continuously to command and control servers
  • All SMS messages, including two factor authentication codes
  • Complete contact lists from the device
  • Stored account credentials
  • One time passwords captured through phishing overlays
  • Banking and financial account numbers

Data is staged locally on the device before being transmitted to the attackers' infrastructure. The malware maintains persistence by automatically restarting after device reboots, and uses certificate spoofing and runtime manipulation techniques to bypass Android security checks.

Who Is Arid Viper?

Arid Viper, also tracked as APT-C-23, Desert Falcons, or Two Tailed Scorpion, is a Hamas aligned cyberespionage group that has been active since at least 2013. The group has a well documented history of targeting individuals in the Middle East, particularly Israeli military personnel, government officials, and civilians.

Previous campaigns by Arid Viper have used similar tactics: trojanized apps distributed outside official app stores, often themed around dating, messaging, or utility tools. This campaign marks an escalation in both the brazenness and the potential harm of their operations. Weaponizing an emergency alert system during an active conflict exploits the very instinct that keeps people alive.

The Broader Pattern

This is not the first time threat actors have disguised spyware as emergency or safety applications. In 2023, a similar campaign distributed fake air raid alert apps during the early stages of the conflict. State sponsored groups in Iran, including CrescentHarvest, have used trojanized protest footage to target dissidents with malware. The common thread is exploiting moments of fear or urgency to bypass the caution users might otherwise exercise.

For individuals in conflict zones or areas with active surveillance threats, the lesson is consistent: only install apps from official sources like Google Play or the Apple App Store. Be skeptical of any link received via SMS, even when the sender appears to be a government agency. Legitimate emergency services do not distribute updates through text message links.

How to Protect Yourself

The Israeli National Cyber Directorate and major Israeli news outlets have issued public warnings about this campaign. If you received a suspicious SMS about an Oref Alert update:

  • Do not click any links in the message
  • Only download or update emergency apps through the Google Play Store or Apple App Store
  • Check your installed apps for anything you did not download yourself
  • Review app permissions and revoke access for apps requesting unnecessary permissions like SMS reading or location tracking
  • If you installed an app from an unknown source, factory reset your device and change passwords for any accounts you accessed while the app was installed

Spyware campaigns that exploit life or death situations represent one of the most manipulative forms of cyberattack. The technology to protect against them exists. The challenge is getting that information to the people who need it most, before they tap the link.