Cyble Analysis and Intelligence Labs (CRIL) has uncovered a classy Android banking trojan dubbed RedHook, which disguises itself as reliable functions from Vietnamese authorities and monetary establishments to deceive customers.
This malware, first noticed within the wild round January 2025, exploits phishing web sites mimicking entities just like the State Financial institution of Vietnam, Sacombank, Central Energy Company, Site visitors Police of Vietnam, and even the Authorities of Vietnam.
Distributed through misleading domains comparable to sbvhn[.]com and hosted on AWS S3 buckets, RedHook tips customers into downloading malicious APKs that seem as official banking apps.
Discovery of RedHook Trojan
As soon as put in, it prompts victims to allow accessibility providers and overlay permissions, granting it intensive management over the system.
This mix of permissions permits the trojan to observe person actions silently, overlay faux interfaces, and bypass safety protocols, making it a potent software for credential theft and monetary fraud.
RedHook’s capabilities prolong past primary phishing, incorporating distant entry trojan (RAT) functionalities, keylogging, and display screen seize through Android’s MediaProjection API.
It establishes a persistent WebSocket connection to command-and-control (C2) servers like api9[.]iosgaxx423.xyz and skt9[.]iosgaxx423.xyz, enabling real-time communication and execution of over 30 instructions.
These instructions vary from gathering system info, SMS messages, and contacts to performing gestures like swipes, clicks, and textual content enter, in addition to putting in or uninstalling apps, capturing screenshots, and even rebooting the system.
The malware’s phishing workflow is meticulously designed: it begins with faux identification verification prompts requiring uploads of citizen ID photographs, adopted by requests for banking particulars, passwords, and two-step verification codes.
Keylogs, tagged with utility package deal names and lively class particulars, are exfiltrated to the C2, whereas steady display screen streaming through JPEG photos permits risk actors to remotely work together with the system.
Code artifacts, together with Chinese language-language strings in logs and uncovered screenshots from an open AWS S3 bucket lively since November 2024, level to a Chinese language-speaking developer or group behind RedHook.
This bucket revealed operational knowledge like faux templates, phishing interfaces, and proof linking to prior scams through the area mailisa[.]me, indicating an evolution from social engineering fraud to superior malware-driven assaults.
Broader Implications
Regardless of its superior options, RedHook maintains low detection charges on platforms like VirusTotal, underscoring its stealthy nature and the challenges in cellular risk landscapes. Evaluation exhibits it has contaminated over 500 units, with person IDs incrementing sequentially upon compromise.
The trojan abuses reliable APIs for protection evasion, comparable to masquerading as trusted apps and injecting inputs to imitate person interactions, aligning with MITRE ATT&CK methods like Phishing (T1660), Enter Injection (T1516), and Display Seize (T1513).
It collects protected knowledge, together with SMS (T1636.004) and contacts (T1636.003), exfiltrating through HTTP-based C2 channels (T1437.001). This allows systematic harvesting of delicate info for fraudulent transactions, usually with out sufferer consciousness.
The emergence of RedHook highlights the escalating sophistication of Android banking trojans in high-risk areas like Vietnam, mixing phishing, RAT, and keylogging for complete system management.
Cybersecurity consultants suggest downloading apps solely from official sources, scrutinizing permission requests, enabling two-factor authentication, and utilizing cellular safety options with real-time scanning.
Maintaining units up to date with safety patches is essential to mitigate vulnerabilities. Proactive risk intelligence, together with monitoring darkish internet actions, is crucial for early detection and response to such evolving cyber threats.
Indicators of Compromise (IOCs)
| Indicators | Indicator Kind | Description |
|---|---|---|
| 0ace439000c8c950330dd1694858f50b2800becc7154e137314ccbc5b1305f07 | SHA256 | RedHook |
| ebc4bed126c380cb37e7936b9557e96d41a38989616855bb95c9107ab075daa3 | SHA256 | RedHook |
| f33ebe44521abb954ec6b1c18efc567fe940ae8b7b495a302885ecefceba535b | SHA256 | RedHook |
| adsocket[.]e13falsz.xyz | URL | C&C server |
| api9[.]iosgaxx423.xyz | URL | C&C server |
| skt9[.]iosgaxx423.xyz | Area | WebSocket URLs |
| api5[.]jftxm.xyz | Area | WebSocket URLs |
| dzcdo3hl3vrfl.cloudfront[.]internet/Chinhphu.apk | URL | Pink Hook |
| nfe-bucketapk[.]s3.ap-southeast-1.amazonaws.com/SBV.apk | URL | Distribution URL |
| sbvhn[.]com/ | URL | Phishing URL |
Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, & X to Get Immediate Updates!
