Malicious “RedAlert – Rocket Alerts” Application Targets Israeli Phone Calls, SMS, and User Information

Created on November 12, 2023 at 10:33 am

6 min TIME read

On October 13, 2023 DATE , Cloudflare ORG ’s Cloudforce One Threat Operations Team ORG became aware of a website hosting a Google Android Application ORG (APK) impersonating the legitimate RedAlert – Rocket Alerts ORG application (https://play.google.com/store/apps/details?id=com.red.alert&hl=en&pli=1). More than 5,000 CARDINAL rockets have been launched into Israel GPE since the attacks from Hamas ORG began on October 7th 2023 DATE . RedAlert – Rocket Alerts ORG developed by Elad Nava PERSON allows individuals to receive timely and precise alerts about incoming airstrikes. Many people living in Israel GPE rely on these alerts to seek safety – a service which has become increasingly important given the newest escalations in the region.

Applications alerting of incoming airstrikes have become targets as only days ago DATE , Pro-Palestinian NORP hacktivist group AnonGhost ORG exploited a vulnerability in another application, “ Red Alert: WORK_OF_ART

Israel GPE ” by Kobi Snir PERSON . ( https://cybernews.com/cyber-war/israel-redalert-breached-anonghost-hamas/ PERSON ) Their exploit allowed them to intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a “nuclear bomb is coming”. AnonGhost ORG also claimed they attacked other rocket alert applications, including RedAlert PERSON by Elad Nava PERSON . As of October 11, 2023 DATE , the RedAlert PERSON app was reportedly functioning normally.

In the last two days DATE , a new malicious website ( hxxps://redalerts[.]me PERSON ) has advertised the download of well-known open source application RedAlert PERSON by Elad Nava (https://github.com/eladnava/redalert-android PERSON ). Domain impersonation continues to be a popular vector for attackers, as the legitimate website for the application (hxxps://redalert[.]me ) differs from the malicious website by only one CARDINAL letter. Further, threat actors continue to exploit open source code and deploy modified, malicious versions to unsuspecting users.

The malicious website hosted links to both the iOS and the Android ORG version of the RedAlert PERSON app. But while the link to the Apple App Store ORG referred to the legitimate version of the RedAlert PERSON app by Elad Nava PERSON , the link supposedly referring to the Android ORG version hosted on the Play Store ORG directly downloads a malicious APK file. This attack demonstrates the danger of sideloading applications directly from the Internet as opposed to installing applications from the approved app store.

The malicious RedAlert PERSON version imitates the legitimate rocket alert application but simultaneously collects sensitive user data. Additional permissions requested by the malicious app include access to contacts, call logs, SMS GPE , account information, as well as an overview of all installed apps.

The website hosting the malicious file was created on October 12, 2023 DATE and has since been taken offline. Only users who installed the Android ORG version of the app from this specific website are impacted and urgently advised to delete the app. Users can determine if they installed the malicious version by reviewing the permissions granted to the RedAlert PERSON app. If users are unsure whether they installed the malicious version, they can delete the RedAlert PERSON applications and reinstall the legitimate version directly in the Play Store ORG .

Screenshot of the attacker site https://redalerts[.]me

Malicious Android Package Kit (APK) Analysis

The malicious Android Package Kit (APK) file is installed by a user when they click the Google ORG Play button on the fake RedAlert PERSON site. Once clicked, the user downloads the app directly from the fake site at hxxps://redalerts[.]me/app.apk . The SHA-256 hash of the APK is 5087a896360f5d99fbf4eb859c824d19eb6fa358387bf6c2c5e836f7927921c5 DATE .

Capabilities

A quick analysis of the AndroidManifest.xml PERSON file shows several differences compared to the legitimate, open source RedAlert PERSON application. Most notable are the additional permissions needed to collect information on the victim. The permissions added are listed below:

android.permission.GET_ACCOUNTS

android.permission.QUERY_ALL_PACKAGES

android.permission.READ_CALL_LOG

android.permission.READ_CONTACTS

android.permission.READ_PHONE_NUMBERS

android.permission.READ_PHONE_STATE

android.permission.READ_PRIVILEGED_PHONE_STATE

android.permission.READ_SMS

The application is designed to look and act like RedAlert PERSON . However, upon opening the app, a malicious service is started in the background. The startService() call is the only change to the onCreate() method, and this begins the sequence of malicious activity, which the actor has placed in a package called com.company.allinclusive.AI

The attacker starts their malicious code within the legitimate RedAlert PERSON code com.red.alert.activities: Main.java

The service is run to gather data from victims’ phones and upload it to the actor’s secure server. The data is extensive and includes:

SIM information, including IMEI and IMSI numbers, network type, country, voicemail number, PIN status, and more

Full Contact list

All SMS messages, including content and metadata for all statuses (e.g. received, outgoing, sent, etc.)

A list of accounts associated with the device

All phone calls and conversation details for including incoming, outgoing, missed, rejected, and blocked calls

Logged-in email and app accounts

List of installed applications

The actor’s code for gathering this information is illustrated below.

com.company.allinclusive.AI: AIMain.java contains the data the attacker will capture form the target

Stolen data is uploaded to an HTTP server at a hardcoded IP address. The actor has a Tools class which details the IP address where the data is to be uploaded:

com.company.allinclusive.AI: Tools.java stores the attackers command and control for the malware

Although HTTP and port 80 CARDINAL are specified, the actor appears to have the ability to use HTTPS and port 443 CARDINAL if a certificate is found bundled within the application package:

com.company.allinclusive.AI: UploadFileAsync.java

Data PERSON is uploaded through a Connector class, written by the actor. The Connector is responsible for encrypting the stolen data and uploading it to the HTTP server. In this sample, files are encrypted with AES ORG in CBC ORG mode with PKCS5 ORG Padding. The keys are randomly generated and appended to the packaged data, however the keys are encrypted with RSA ORG using a public key bundled in the malicious app. Because of this, anybody who is able to intercept the stolen data will be unable to decrypt it without the actor’s private key.

The encrypted files have names that look like <ID>_<DATE>.final, which contain:

<ID>_<DATE>.enc (encrypted data)

<ID>_<DATE>.param ( AES ORG encryption parameters, e.g. key and IV)

<ID>_<DATE>.eparam (RSA parameters, e.g. public key)

Anti-Analysis Runtime Capabilities

To avoid detection the actor included anti-analysis capabilities which can run at the time the app is started. The methods for anti-analysis that the attacker has included were anti-debugging, anti-emulation, and anti-test operations

Anti-Debugging

The application makes a simple call using the builtin android.os.Debug package to see if the application is being debugged.

com.company.allinclusive.AI.anti.debugger: FindDebugger.java

Anti-Emulation

The application attempts to locate certain files and identifiers to determine whether it is being run in an emulated environment. A snippet of these indicators are shown below:

com.company.allinclusive.AI.anti.emulator: FindEmulator.java checks for common emulators

Anti-Test

The application has utilities to identify whether a test user (“monkey”) is using the application:

com.company.allinclusive.AI.anti.monkey: FindMonkey.java

These methodologies are all rudimentary checks for whether the application is under runtime analysis. It does not, however, protect the malicious code against static analysis.

How To Detect This Malware On Your Device

If you have installed RedAlert PERSON on your device, the extraneous permissions added by the actor can be used to determine whether you have been compromised. The following permissions appearing on the RedAlert PERSON app (whether or not enabled) would indicate compromise:

Call Logs

Contacts

Phone

SMS

How To Protect Yourself

You can avoid attacks like this by following the guidance below:

Keep your mobile device up to date on the latest software version at all times

Consider using Cloudflare Teams PRODUCT (with Cloudflare Gateway FAC )

Avoid using third ORDINAL party mobile application stores

Never install applications from Internet URLs or sideload payloads

Consider using 1.1.1.1 for families to block malicious domains on your network

IOCs

Type Indicator Malicious RedAlert APK Download PERSON URL hxxp://redalerts[.]me/app.apk Malicious RedAlert APK Command ORG and Control hxxp://23.254.228[.]135:80/file.php Malicious RedAlert APK PERSON

5087a896360f5d99fbf4eb859c824d19eb6fa358387bf6c2c5e836f7927921c5 DATE Public key, RSA/ECB/PKCS1Padding MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvBYe8dLw1TVH39EVQEwCr7kgBRtQz2M2vQbgkbr0UiTFm0Tk9KVZ1jn0uVgJ+dh1I7uuIfzFEopFQ35OxRnjmNAJsOYpYA5ZvD2llS+KUyE4TRJZGh+dfGjc98dCGCVW9aPVuyfciFNpzGU+lUV/nIbi8xmHOSzho+GZvrRWNDvJqmX7Xunjr1crAKIpG1kF8bpa9+VkoKnMOqFBTc6aPEmwj4CmeTsTy+j7ubdKc8tsdoCTGfrLzVj4wlGDjtf06dYEtZ6zvdBbzb4UA6Ilxsb12KY03qdlqlFREqCxjtJUYDEYChnpOSkrzpLOu+TTkAlW68+u6JjgE8AAAnjpIGRRNvuj5ZfTS3Ub3xEABBRUuHcesseuaN3wVwvMBIMbWJabVUWUNWYyCewxrtdrc8HStECbS/b05j2lv6Cl1Qv1iQefurL/hvfREmxlHAnkCmzTxlrEStHHnNmhWOccQI+u0VO6klJShNg8XlRsKXnqpPi3aicki+QMo3i1oWOve6aWkAIJvmHaY4Gmz0nX2foxlJ2YxOGQe0rUAqDXa8S6tYSmIyCYJoTmllvwJAEpCtOFxerZIAa/1BaxYFhH/iQUzzayJuc6ooUmKLw7q72pe3tN0cRT3RAJUmRwTcV5hL+UQgakkSzIMFBpM/rpvNC0Qy94mtpNf6iA6gbKm40CAwEAAQ==

Under attack? Contact our hotline to speak with someone immediately.Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.

Connecting to blog.lzomedia.com... Connected... Page load complete