Cyble Analysis and Intelligence Labs (CRIL) has uncovered a complicated Android banking trojan dubbed RedHook, which disguises itself as legit purposes from Vietnamese authorities and monetary establishments to deceive customers.
This malware, first noticed within the wild round January 2025, exploits phishing web sites mimicking entities just like the State Financial institution of Vietnam, Sacombank, Central Energy Company, Site visitors Police of Vietnam, and even the Authorities of Vietnam.
Distributed by way of misleading domains equivalent to sbvhn[.]com and hosted on AWS S3 buckets, RedHook methods customers into downloading malicious APKs that seem as official banking apps.
Discovery of RedHook Trojan
As soon as put in, it prompts victims to allow accessibility companies and overlay permissions, granting it intensive management over the machine.
This mix of permissions permits the trojan to observe person actions silently, overlay pretend interfaces, and bypass safety protocols, making it a potent device for credential theft and monetary fraud.
RedHook’s capabilities lengthen past fundamental phishing, incorporating distant entry trojan (RAT) functionalities, keylogging, and display seize by way of Android’s MediaProjection API.
It establishes a persistent WebSocket connection to command-and-control (C2) servers like api9[.]iosgaxx423.xyz and skt9[.]iosgaxx423.xyz, enabling real-time communication and execution of over 30 instructions.
These instructions vary from amassing machine data, SMS messages, and contacts to performing gestures like swipes, clicks, and textual content enter, in addition to putting in or uninstalling apps, capturing screenshots, and even rebooting the machine.
The malware’s phishing workflow is meticulously designed: it begins with pretend identification verification prompts requiring uploads of citizen ID images, adopted by requests for banking particulars, passwords, and two-step verification codes.
Keylogs, tagged with utility bundle names and energetic class particulars, are exfiltrated to the C2, whereas steady display streaming by way of JPEG photographs permits risk actors to remotely work together with the machine.
Code artifacts, together with Chinese language-language strings in logs and uncovered screenshots from an open AWS S3 bucket energetic since November 2024, level to a Chinese language-speaking developer or group behind RedHook.
This bucket revealed operational knowledge like pretend templates, phishing interfaces, and proof linking to prior scams by way of the area mailisa[.]me, indicating an evolution from social engineering fraud to superior malware-driven assaults.
Broader Implications
Regardless of its superior options, RedHook maintains low detection charges on platforms like VirusTotal, underscoring its stealthy nature and the challenges in cell risk landscapes. Evaluation reveals it has contaminated over 500 units, with person IDs incrementing sequentially upon compromise.
The trojan abuses legit APIs for protection evasion, equivalent to masquerading as trusted apps and injecting inputs to imitate person interactions, aligning with MITRE ATT&CK strategies like Phishing (T1660), Enter Injection (T1516), and Display Seize (T1513).
It collects protected knowledge, together with SMS (T1636.004) and contacts (T1636.003), exfiltrating by way of HTTP-based C2 channels (T1437.001). This permits systematic harvesting of delicate data for fraudulent transactions, typically with out sufferer consciousness.
The emergence of RedHook highlights the escalating sophistication of Android banking trojans in high-risk areas like Vietnam, mixing phishing, RAT, and keylogging for complete machine management.
Cybersecurity consultants advocate downloading apps solely from official sources, scrutinizing permission requests, enabling two-factor authentication, and utilizing cell safety options with real-time scanning.
Preserving units up to date with safety patches is essential to mitigate vulnerabilities. Proactive risk intelligence, together with monitoring darkish net actions, is important for early detection and response to such evolving cyber threats.
Indicators of Compromise (IOCs)
| Indicators | Indicator Sort | Description |
|---|---|---|
| 0ace439000c8c950330dd1694858f50b2800becc7154e137314ccbc5b1305f07 | SHA256 | RedHook |
| ebc4bed126c380cb37e7936b9557e96d41a38989616855bb95c9107ab075daa3 | SHA256 | RedHook |
| f33ebe44521abb954ec6b1c18efc567fe940ae8b7b495a302885ecefceba535b | SHA256 | RedHook |
| adsocket[.]e13falsz.xyz | URL | C&C server |
| api9[.]iosgaxx423.xyz | URL | C&C server |
| skt9[.]iosgaxx423.xyz | Area | WebSocket URLs |
| api5[.]jftxm.xyz | Area | WebSocket URLs |
| dzcdo3hl3vrfl.cloudfront[.]internet/Chinhphu.apk | URL | Crimson Hook |
| nfe-bucketapk[.]s3.ap-southeast-1.amazonaws.com/SBV.apk | URL | Distribution URL |
| sbvhn[.]com/ | URL | Phishing URL |
Discover this Information Fascinating! Observe us on Google Information, LinkedIn, & X to Get Immediate Updates!
