Missile alert apps are not just software for civilians in Israel and in War Zones. They are lifelines. People rely on them for seconds that can save lives.
This week, a phishing campaign distributed a trojanized version of the Israeli “Red Alert” app. It worked exactly like the real one. Alerts came in. Maps loaded. Nothing looked suspicious.
At the same time, it silently collected:
And it sent that data to a remote HTTPS server.
This is not just malware that was put to get data and earn money.
This is surveillance, these are tools used for the second part of the war that is being help on the different digital terrains.
In peacetime, spyware is a privacy issue…
In wartime, it becomes operational.
Real-time GPS data during active conflict means movement tracking, full SMS access means insight into coordination, contact lists mean mapping social networks and installed apps and accounts mean profiling targets.
When that data comes from people living under missile fire, the stakes change.
This is intelligence collection at national civilian scale.
The malicious app did not just add spyware.
It:
The legitimate functionality was preserved on purpose, to be able to purposely preserve trust.
This was engineered.
This was not caught by a simple signature.
Dream’s Agents automatically analyzed the APK and reconstructed:
From one mobile sample, the platform connected code, infrastructure, and trust manipulation in a single reasoning flow.
Wartime cyber operations increasingly target civilian infrastructure.
Not to break it but to actually see through it.
Emergency apps, communication tools, high-adoption platforms: these are now intelligence surfaces.
When a civilian alert app becomes a surveillance platform, every device becomes part of the battlefield.
Understanding that quickly is not about more alerts, it is about seeing the system as a whole.
