RedHook Android Banking Trojan Targets Vietnamese Users with Advanced Phishing & Full Device Takeover

In a revelation by Cyble Research and Intelligence Labs (CRIL), a powerful new Android banking trojan dubbed RedHook has surfaced, targeting Vietnamese users with unprecedented precision and sophistication. Unlike traditional banking malware, RedHook blends phishing, remote access, screen capture, and keylogging functionalities, enabling full device takeover and stealthy exfiltration of sensitive information.

“RedHook is a newly identified Android banking trojan targeting Vietnamese users through phishing sites impersonating trusted financial and government institutions,” stated the CRIL report.

Distributed through phishing websites such as sbvhn[.]com, which mimics the State Bank of Vietnam, RedHook lures victims into downloading a malicious APK hosted on an AWS S3 bucket (nfe-bucketapk.s3.ap-southeast-1.amazonaws[.]com/SBV.apk). Once installed, the malware prompts users to grant extensive permissions — including accessibility services and overlay rights — under the guise of a legitimate app.

After these permissions are granted, the malware proceeds to:

• Launch phishing attacks to steal identity documents and banking credentials.
• Establish a persistent WebSocket connection to a live C2 server for real-time command execution.
• Capture screen activity using Android’s MediaProjection API.
• Collect SMS, contacts, banking details, and perform remote operations via 34 server-issued commands.

“RedHook supports 34 server-issued commands, enabling complete remote control of the infected device,” CRIL noted. These include commands to capture photos, record the screen, install/uninstall apps, unlock the device, and even simulate user interactions.

The use of WebSocket-based command-and-control infrastructure gives RedHook low-latency communication with infected devices. Screenshots and data captured from victims are immediately transmitted to attacker-controlled servers.

Investigators found Chinese-language artifacts within the codebase and exposed S3 bucket assets. This strongly suggests that the malware was “likely developed by a Chinese-speaking threat actor or group.”

“The malware contained Chinese-language strings in its logs, and several screenshots from the exposed S3 bucket also featured Chinese text,” CRIL observed.

The same S3 bucket stored screenshots of spoofed Vietnamese banking apps, including Sacombank and MaiLisa Beauty Salon. The reuse of domains like mailisa[.]me links the malware to older social engineering scams targeting Vietnamese users.

RedHook uses recognizable branding and icons to impersonate well-known organizations. This includes fake login portals, identity verification dialogs, and screen overlays in both Vietnamese and Indonesian — implying that the trojan may evolve into a multi-regional threat.

“The phishing interface appears in Indonesian, suggesting that the threat actor may reuse templates for a different target audience,” the report warned.

Despite its arsenal of capabilities, RedHook currently enjoys low detection rates on VirusTotal, allowing it to remain active in the wild.

“RedHook remains a relatively new threat and currently shows low detection rates on VirusTotal,” the researchers emphasized.

The CRIL team concludes:

“By leveraging these combined capabilities, like phishing, keylogging, screen capture, RAT, and elevated permissions, RedHook grants threat actors complete remote control over infected devices.”

Related Posts:

• Ducktail & Quasar RAT: Vietnamese Threat Actors Target Meta Ads Professionals
• Storm-1152’s CAPTCHA Bypass Operation Foiled by Microsoft
• CoralRaider: Vietnamese Hackers Wage Stealthy Campaign, Targeting Social Media and Financial Data
• Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
• North Korean Hackers Exploit Old Office Flaw to Deploy Keylogger