Multiple reports highlight evolving Android threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to runtime manipulation using the LSPosed framework, where a malicious module (e.g., Digital Lutera) hooks SmsManager and TelephonyManager to undermine India’s UPI SIM-binding controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to Telegram; it also uses Socket.IO for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover.
Separately, Acronis TRU (reported by Hackread) identified a fake Red Alert rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal GPS location, SMS/OTP, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via certificate spoofing and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, SurxRAT, that can download and run LLM modules from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., Play Integrity API with MEETS_STRONG_INTEGRITY) where applicable.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Zimperium described SurxRAT as a new Android remote-access trojan able to download and execute large language model modules from third-party repositories. According to the report, the modules can automate phishing, social engineering, and interaction with on-device apps to steal credentials and other sensitive data.
CloudSEK reported an Android financial-fraud method using a malicious LSPosed module called "Digital Lutera" to intercept UPI SIM-binding tokens, spoof phone identity, inject forged SMS records, and exfiltrate data to Telegram. The report linked the activity to a Telegram persona known as "Berlin" and described targeting of Indian payment and banking defenses.
In its analysis of the campaign, Acronis assessed the operators as potentially linked to Arid Viper (APT-C-23) based on overlapping tactics, techniques, and procedures. The report also noted certificate spoofing and attempts to make the app appear as if it had been installed from Google Play.
Acronis Threat Research Unit discovered on 2026-03-01 an Android espionage campaign using SMS messages impersonating Israel’s Home Front Command to push a trojanized Red Alert rocket-warning app. The fake app showed legitimate alerts while covertly stealing data such as SMS/OTP messages, contacts, GPS location, app inventory, and registered account details.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cloudsek.com
Open sourcezimperium.com
Open sourcehackread.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.