Researchers at cybersecurity firm Cyble Research and Intelligence Labs (CRIL) have discovered a new Android banking Trojan called “RedHook” that is actively targeting mobile users in Vietnam. The malware is being distributed via sophisticated phishing sites impersonating legitimate financial institutions and government agencies.
Once installed, RedHook combines dangerous capabilities — phishing, keylogging, and remote access — allowing attackers to take full control of infected devices. Despite its intrusive behavior, detection rates by antivirus products are low, enabling it to operate stealthily.
Analysis of the RedHook Android banking Trojan campaign
CRIL first detected RedHook via a phishing site at sbvhn[.]com. That site impersonates the State Bank of Vietnam and tricks users into downloading a trojanized APK file (SBV.apk). The APK was hosted in a public AWS S3 bucket (hxxps://nfe-bucketapk.s3.ap-southeast-1.amazonaws[.]com/SBV.apk).
The S3 bucket contained screenshots, phishing templates, and multiple versions of the malware, indicating that RedHook has been active since at least November 2024. Samples in the wild were observed through January 2025.
RedHook’s infrastructure includes domains such as mailisa[.]me, which were previously used in domestic cosmetics fraud campaigns in Vietnam. This suggests the attackers evolved from social-engineering scams to more advanced attacks using an Android banking Trojan.
Infection flow and capabilities
After installation, RedHook requests overlay access and Android Accessibility Service privileges. With those permissions the malware can perform intrusive actions such as:
• Launching overlay-based phishing pages
• Recording all keystrokes (keylogging)
• Exfiltrating contacts and SMS messages
• Installing and uninstalling apps
• Capturing the screen via the MediaProjection API
RedHook sends these screen captures to the attacker’s C2 server in real time over WebSocket connections.
On the network side, it maintains persistent WebSocket connections to subdomains of skt9.iosgaxx423.xyz and uses api9.iosgaxx423.xyz for initial HTTP communications. The malware supports 34 remote commands, enabling collection of device info, SMS and screenshots, command execution, overlay activation, and more.
Technical analysis
On startup, RedHook displays a fake State Bank of Vietnam login page. When users enter credentials, they are sent to /auth/V2/login. The server responds with a JWT access token and a client ID, which RedHook uses to report device information to /member/info/addDevice. The reported data includes device ID, brand, screen orientation, lock type, and other details — allowing the attackers to register and track infected devices.
At the time of analysis, the number of registered user IDs had grown to 570, and it is estimated that over 500 devices have been infected.
Phishing workflow
RedHook’s phishing process proceeds in stages:
- Victims are prompted to photograph and upload their national ID card; the image is sent to /file/upload/.
- They are then asked to enter personal information such as bank name, account number, full name, address, and date of birth. Interestingly, these input templates were displayed in Indonesian rather than Vietnamese.
- Finally, victims enter a 4-digit password and a 6-digit two-factor authentication code.
All keystrokes are tied to the app package name and screen activity and are sent to the C2 server.
RAT features and clues about the attackers
The WebSocket connection (via skt9) enables RAT (remote access Trojan) functionality. During these sessions, screen frames are converted to JPEG and live-streamed to the attackers.
The public S3 bucket contained screenshots from WebSocket sessions and elements of a Chinese-language interface. Chinese strings were also found in the malware logs, suggesting the attackers may be Chinese speakers.