Hamas-linked group deploys spyware disguised as emergency alert app to Israeli smartphones

Security researchers have uncovered a sophisticated phishing campaign targeting Israeli smartphone users with spyware disguised as a legitimate emergency alert application, raising fresh concerns about cyber espionage operations during periods of regional conflict.

The malicious campaign, discovered by Acronis Threat Research Unit (TRU) on March 1, 2026, involves Hamas-linked attackers distributing trojanized versions of the Red Alert rocket warning app through SMS messages that impersonate Israel's official "Oref Alert" service.

How the attack works

According to TRU senior security researcher Eliad Kimhy, the campaign uses SMS messages sent from spoofed sender IDs that urge recipients to install what appears to be an updated version of the emergency alert application. The messages contain bit.ly shortened links that redirect victims to download the malicious software rather than legitimate updates.

Once installed, the malware employs several sophisticated techniques to evade detection:

• Spoofed certificates that make the application appear to have been signed by Google Play
• Installer source spoofing that bypasses Android security checks
• Automatic startup after device reboot to maintain persistence

The malicious application requests 20 permissions from infected devices, with six particularly concerning ones enabling:

• Real-time access to precise GPS location data
• Complete access to SMS messages
• Full access to contact lists
• Access to accounts stored on the device
• Ability to create phishing overlays on other applications
• Interception of one-time passwords and credentials

Data exfiltration and command infrastructure

All stolen data is staged locally on infected devices before being continuously transmitted to the attackers' remote command-and-control (C2) server. This includes not only location and message data but also potentially sensitive authentication credentials and financial information intercepted through phishing overlays.

The malware's ability to create overlays on top of legitimate applications represents a particularly dangerous capability, as it can capture authentication codes, passwords, and account numbers even from apps that use two-factor authentication.

Attribution and threat actor profile

TRU analysts believe the campaign may be linked to Arid Viper, a Hamas-aligned cyberespionage group also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion. This group has been active since at least 2013 and typically targets Israelis using surveillance malware across Android, iOS, and Windows platforms.

"The campaign is likely indiscriminate," Kimhy noted, pointing to warnings issued by the Israeli National Cyber Directorate and major Israeli news sites as evidence that the phishing attack has reached a broad audience.

Context of regional cyber operations

TRU lead security researcher Santiago Pontiroli emphasized that such campaigns typically spike during periods of military escalation in the region. "Activity like this underscores how cyber operations increasingly serve as an intelligence-gathering layer that runs in parallel to kinetic conflict, enabling actors to monitor targets, map networks, and identify high-value individuals during periods of heightened geopolitical tension."

Pontiroli explained that attackers frequently leverage wartime themes such as emergency alerts, missile warnings, or security updates as social engineering lures to distribute surveillance malware and collect sensitive information.

Security implications and response

The discovery highlights the ongoing challenge of mobile security in conflict zones, where legitimate applications can be weaponized through social engineering. The use of spoofed certificates and Google Play appearance demonstrates the attackers' sophistication in bypassing standard Android security mechanisms.

Israeli authorities have issued warnings about the phishing attack, and cybersecurity experts recommend users verify the authenticity of any emergency alert applications through official app stores rather than following links in SMS messages.

This campaign represents the latest example of how cyber operations have become an integral component of modern conflict, serving both intelligence-gathering and psychological warfare objectives while exploiting the trust users place in critical safety applications.