RedHook Android Banking Trojan Targets Vietnamese Banks with Phishing, RAT, and Full Device Takeover

Amid the continued proliferation of Android-targeting malware, researchers at Cyble Research and Intelligence Labs (CRIL) have identified a sophisticated new threat dubbed RedHook. First observed in January 2025, this banking Trojan exhibits a particularly deceptive modus operandi, masquerading as official applications from Vietnamese government agencies and financial institutions—including the State Bank of Vietnam, Sacombank, the Central Power Corporation, the Traffic Police, and various other state services.

To propagate the Trojan, attackers deploy meticulously crafted phishing websites designed to mimic legitimate government portals, hosted on domains such as “sbvhn[.]com” and served via Amazon S3 infrastructure. Unsuspecting users, believing they are downloading trustworthy APK files from banks or official bodies, are in fact installing malicious software.

Once installed, RedHook immediately requests permissions for accessibility services and overlay capabilities—privileges that allow it to silently monitor user activity, manipulate interface elements, and bypass security measures, including Single Sign-On (SSO) protocols. This potent combination renders it a formidable tool for harvesting credentials and executing fraudulent transactions.

RedHook’s arsenal includes remote access capabilities (RAT), keylogging functions, and screen capture via the Android MediaProjection API. Following installation, it establishes a persistent WebSocket connection to its command-and-control servers—identified as “api9[.]iosgaxx423[.]xyz” and “skt9[.]iosgaxx423[.]xyz”.

Through these channels, the malware receives real-time commands—over thirty have been documented—ranging from SMS exfiltration and contact list harvesting to system reconnaissance, gesture simulation, application management, screen imaging, and even forced device reboots.

The phishing sequence is executed in stages: the victim is first prompted to undergo “identity verification” by uploading a photo of their ID. The malware then solicits banking credentials, passwords, and two-factor authentication codes. Simultaneously, RedHook logs all keystrokes—tagged with the associated app and active window—and periodically transmits these logs to its C2 server. It also captures sequential screen snapshots in JPEG format, granting the remote operator near real-time visual access to the device.

An analysis of an open AWS S3 bucket, active since November 2024, uncovered logs containing Chinese-language strings, counterfeit UI templates, and screenshots from compromised devices. These findings suggest a Chinese-speaking threat actor may be behind RedHook, potentially linked to prior campaigns involving the “mailisa[.]me” domain, known for simpler but socially engineered scams.

Despite its complexity and vast capabilities, RedHook remains virtually undetectable by most antivirus software: its detection rate on VirusTotal remains remarkably low. At the time of Cyble’s report, over 500 infected devices had been identified, with RedHook assigning user IDs in sequential order—making it easier to track newly affected victims.

RedHook employs numerous evasion and attack techniques catalogued in the MITRE ATT&CK framework, including phishing (T1660), input command injection (T1516), screen capture (T1513), SMS collection (T1636.004), contact harvesting (T1636.003), and HTTP-based data exfiltration (T1437.001). By impersonating trusted interfaces and mimicking legitimate user behavior, it is capable of circumventing even Android’s layered defenses.

This campaign underscores the escalating sophistication of mobile threats in regions where smartphone banking is prevalent. Security experts urge users to install apps exclusively from official app stores, scrutinize permission requests, enable two-factor authentication, and utilize antivirus solutions with real-time analysis features. Moreover, timely application of security updates and vigilant monitoring of dark web activity are essential in detecting and mitigating such threats.