Hacked App Part of US/Israeli Propaganda Campaign Against Iran

Wired has the story:

Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded more than 5 million times from the Google Play Store.

The messages arrived in quick succession over a period of 30 minutes, starting with the phrase ‘Help has arrived’ at 9:52 am Tehran time, shortly after the first set of explosions. No party has claimed responsibility for the hacks.

It happened so fast that this is most likely a government operation. I can easily envision both the US and Israel having hacked the app previously, and then deciding that this is a good use of that access.

Tags: , , , , ,

Posted on March 5, 2026 at 6:28 AM7 Comments

Comments

Rontea March 5, 2026 9:53 AM

Using a popular prayer app as the vector is a clever form of psychological operations, exploiting both trust and timing. The attribution problem here is significant: without clear evidence, claims of nation-state involvement remain speculative.

lurker March 5, 2026 12:40 PM

“One important but seemingly ignored fact about this app is that it requests location access to operate. […] Push notifications are trusted by design, […] the entire model assumes that if you installed an app, the messages it sends are legitimate.”

https://www.theregister.com/2026/03/02/iran_prayer_app_propaganda_hack_israel/

There’s no need to hack the app as downloaded and installed on users’ devices: the hack could happen on a third party platform delivering the push messages.

lurker March 5, 2026 1:12 PM

NB I have the simple minded user’s attitude that the “app” is the bit of software I downloaded, and which operates on my device. I am aware that others regard the “app” as including any backend servers, and communication networks.

‘BadeSaba Calendar’ is still available from the legitimate Google Play Store[1], and presumably carries the ‘Play Protect’ seal of approval, thus users would trust it. If each user registration carried a serial number, allowing individual users to be tracked and targeted, would this still qualify for Play Protect?

There was some outcry that shutting down the internet when hostilities began was a cruel impost on Iranian citizens’ right to communicate with their families and loved ones. But this event demonstrates that shutting down the internet was a defensive move against foreign propaganda, like jamming radio broadcasts has been in past conflicts.

[1] https://cybersecuritynews.com/beware-of-website-mimicking-google-play-store/

Bcs March 5, 2026 2:56 PM

I wonder if any nation state actor has considered using a hacked app to deliver firewall bypass tools? If you think the population would welcome outside intervention, then handing them a secure (from their own government) communication challel would be an effective ploy.

And the interesting list of things you could do with a Trojan on a few million phones in a country you don’t like just get more interesting from there.

Clive Robinson March 5, 2026 5:29 PM

@ ALL,

The Wired article notes,

“Attribution in cases like this is always complex, and it’s still too early to draw conclusions.”

Which is true enough.

However the article also notes that the Internet had been blocked for most Iranians by the Iranian leadership.

But it does not go into the implications of these two facts.

The first question being,

“If the Internet was effectively turned off, how did these messages appear?”

I’ll let others ponder on that but “store and forward” onto the device is a possibility, but getting the timing right would be difficult at best…

This would tend to suggest a “Level III” attacker is behind it with the US and Israel doing it “jointly” being the obvious but potentially wrong conclusion to make.

So I’ll reserve judgment and await further details of the attack app, I suspect it will prove “interesting but inconclusive”.

cls March 6, 2026 6:35 PM

This sort of thing is exactly what I would do to communicate one way with my deep embedded assets. They fit right in with the prayer schedule and the app. Everyone expects them to respond when the app dings. “Help is on the way”, prearranged signal, meaning help in the form of foreign aggression, indeed.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.