RedAlert Trojan Campaign Fake Emergency Alert App Spread via...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.cloudsek.com/blog/redalert-trojan-campaign-fake-emergency-alert-app-spread-via-sms-spoofing-israeli-home-front-command
• Blog Title: RedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command
• Suggested Section: 📱 Mobile Pentesting -> Android Applications Pentesting (new page/subsection around 'Android anti-tamper / signature spoofing / PackageManager (IPackageManager) hooking' and/or 'Dynamic code loading via ApplicationInfo sourceDir/publicSourceDir rewriting')

🎯 Content Summary

Title / context (what is happening)
CloudSEK describes a smishing (SMS phishing) Android espionage campaign that weaponizes wartime urgency by distributing a trojanized “Red Alert” emergency-alert app that impersonates Israel’s Home Front Command app. The delivery is designed to bypass the legitimate distribution channel (Google Play), convincing victims to sideload a malicious APK from attacker-controlled links (including bit.ly shorteners). The malicious app keeps a fully fun...

🔧 Technical Details

PackageManager hook for signature + installer spoofing: Replace android.app.ActivityThread’s sPackageManager/mPM with a Java dynamic proxy (Proxy.newProxyInstance) so all IPackageManager calls flow through invoke(). Intercept getPackageInfo and return attacker-chosen signing certificate data (decoded from an embedded Base64 blob) to defeat signature/tamper checks. Intercept getInstallerPackageName and always return com.android.vending so a sideloaded APK appears Play-installed to policies/heuristics.

Hardcoded certificate blob format to feed anti-tamper logic: Embed an X.509 DER certificate and a small header parsed via DataInputStream (e.g., first byte = number of signatures; next 4 bytes = cert length). This lets malware precisely control what certificate is “reported” to integrity checks without changing the actual APK signing ident...

🤖 Agent Actions

Summary

1. Added a new Android pentesting page documenting PackageManager proxy spoofing, hardcoded signature blob spoofing, ApplicationInfo path rewriting for dynamic payloads, and permission-state polling indicators.
2. Linked the new page from the Android Applications Pentesting index.

Files Updated

1. src/mobile-pentesting/android-app-pentesting/android-package-manager-hooking-and-dynamic-loading.md
2. src/mobile-pentesting/android-app-pentesting/README.md

Tests

1. Not run (documentation-only changes).

If you want, I can also cross-link this from other Android malware analysis–oriented pages or add a short detection checklist section.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.cloudsek.com/blog/redalert-trojan-campaign-fake-emergency-alert-app-spread-via-sms-spoofing-israeli-home-front-command

Content Categories: Based on the analysis, this content was categorized under "📱 Mobile Pentesting -> Android Applications Pentesting (new page/subsection around 'Android anti-tamper / signature spoofing / PackageManager (IPackageManager) hooking' and/or 'Dynamic code loading via ApplicationInfo sourceDir/publicSourceDir rewriting')".

Repository Maintenance:

• MD Files Formatting: 955 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0