Overview
- Attackers are sending phony texts that mimic Home Front Command notices to push a fake update outside the Google Play Store.
- The lookalike app continues to display genuine alerts while a surveillance payload runs in the background to avoid raising suspicion.
- The malware requests high‑risk permissions for SMS, contacts and precise GPS, enabling data theft and potential two‑factor code interception.
- CloudSEK reports advanced evasion, including spoofed signing and installer data, reflection and proxy hooks, and a three‑stage loader that conceals embedded payloads.
- Exfiltrated data is posted to api.ra-backup[.]com over infrastructure hosted on AWS and proxied via Cloudflare, and defenders are urged to isolate devices, revoke admin rights, factory‑reset and block malicious domains.