Unraveling the RedHook Android Banking Trojan Targeting Vietnamese Users
In a concerning development for mobile security, researchers from Cyble Research and Intelligence Labs (CRIL) have reported a new Android banking trojan dubbed RedHook. This malware is specifically designed to exploit and target Vietnamese mobile users through cleverly disguised phishing websites that masquerade as legitimate financial and governmental entities.
Understanding the RedHook Trojan Campaign
The RedHook malware first came to light when CRIL identified a phishing website, sbvhn[.]com, which closely mimics the State Bank of Vietnam. Users are enticed to download a malicious APK file (SBV.apk) from an unprotected AWS S3 bucket (hxxps://nfe‑bucketapk.s3.ap‑southeast‑1.amazonaws[.]com/SBV.apk). Disturbingly, this S3 bucket has been accessible since November 2024 and harbors materials such as screenshots, phishing templates, and various iterations of the malware itself. Analysis indicates that RedHook has been operational since at least November 2024, with instances emerging by January 2025.
The underlying architecture supporting RedHook includes domains like mailisa[.]me, which were previously linked to cosmetic fraud in Vietnam. This evolution highlights a shift from general social engineering scams to more sophisticated methods involving an Android banking trojan embedded within phishing platforms.
Infection Process and Functionalities
Upon installation, RedHook prompts users to enable overlay access and Android accessibility services, which grants the malware extensive permissions. With these permissions, RedHook can perform various intrusive actions, such as launching overlay phishing pages, keylogging, exfiltrating contacts and SMS messages, and managing app installations. By leveraging Android’s MediaProjection API, it can even capture screen content and transmit it via WebSocket to the attackers’ command infrastructure.
Maintaining a persistent connection with its command-and-control (C2) server, located at skt9.iosgaxx423.xyz, the malware can execute a staggering 34 distinct remote commands. These allow operators to gather device details, SMS messages, screenshots, and much more.
A Closer Look at Technical Capabilities
When it first runs, RedHook displays a counterfeit login interface that impersonates the State Bank of Vietnam. After users input their credentials, this information is sent to the server’s authentication endpoint, which then provides a JSON Web Token (JWT) for access. With these tokens, the malware reports information about the infected device, such as device ID, brand, orientation, and security settings, enabling attackers to register and track compromised devices. Alarmingly, analysis indicated that user IDs had risen to over 570, signifying more than 500 infections.
The phishing process unfolds in several methodical stages:
- Victims are asked to take a photo of their citizen ID and upload it, which is then sent to /file/upload/.
- Users receive prompts to provide personal details such as bank name, account number, address, and birthdate, presented in Indonesian rather than Vietnamese.
- Lastly, victims are required to enter a 4-digit password and a 6-digit verification code.
Every keystroke made is meticulously logged and sent back to the C2 server, tagged with app package names and activities.
Insights into the Malware’s Infrastructure
One striking feature of RedHook is its reliance on a direct WebSocket connection for remote access. During these sessions, captured screen images are streamed in real-time. The compromised S3 bucket displayed not only screenshots from the WebSocket sessions but also included user interface elements in Chinese, suggesting the involvement of a Chinese-speaking threat actor.
The exposed S3 bucket contained phishing templates targeting various recognized Vietnamese entities, such as Sacombank and the traffic police, further illustrating the sophistication and depth of the RedHook operation.
Indicators of Attribution and Threat Origin
Evidence strongly points to a potential Chinese-speaking origin for this malware campaign. Multiple artifacts, including Chinese text in screenshots and code, lend credence to this hypothesis. Furthermore, the domain mailisa[.]me has previous links to scams in Vietnam, marking a clear trajectory from simple fraud to the more advanced RedHook operations.
Mitigating Risks Associated with RedHook
The emergence of RedHook signifies a troubling advancement in mobile malware tactics, intertwining phishing, remote access capabilities, and extensive surveillance functionalities. Such a blend of features makes it exceptionally stealthy, often evading detection mechanisms.
To protect against threats like RedHook, mobile users should be cautious about downloading applications from unknown sources, scrutinize permission requests, and consider behavior-based mobile security solutions. Additionally, financial institutions must proactively share threat-related intelligence to disrupt the infrastructure supporting such mobile attacks.
Rising tides of mobile malware like RedHook underscore the necessity for ongoing vigilance in online security practices, especially for users in vulnerable regions.
