RedHook Banking Trojan
Vietnam has recently become a hotspot for sophisticated Android malware campaigns. A new banking trojan, dubbed RedHook, is spreading through phishing sites disguised as financial and government institutions. The malware is designed to compromise mobile devices and steal sensitive financial information while granting cybercriminals near-complete control over infected systems.
Table of Contents
How RedHook Operates
RedHook combines Remote Access Trojan (RAT) functionality with keylogging and information-stealing capabilities. The Trojan infiltrates devices by masquerading as legitimate apps—such as a fake State Bank of Vietnam mobile app—and quickly begins requesting sensitive permissions, including access to media files and the Android Accessibility Services.
Once installed, RedHook abuses these permissions to:
- Overlay phishing screens on legitimate apps to capture login credentials.
- Record keystrokes and screen activity using the MediaProjection API.
- Intercept two-factor authentication codes, banking data, and ID uploads.
Its RAT component enables execution of 34 distinct commands, ranging from app installation and removal to taking photos with the device camera, restarting the phone, or copying clipboard contents.
Technical Sophistication and Chinese-Language Artifacts
Researchers note that RedHook communicates with its command-and-control (C2) server via WebSocket, allowing real-time interactions and remote execution. Code strings written in Chinese indicate possible ties to a Chinese-speaking threat actor or group.
The Trojan also demonstrates advanced evasion tactics, including sandbox checks, modular design for activating features when needed, and use of the ApkSignatureKillerEx tool to bypass Android’s app signature verification. This enables attackers to inject secondary payloads while maintaining the appearance of a legitimate application.
Campaign Timeline and Evidence
RedHook’s campaigns only recently gained traction, but evidence from an exposed AWS S3 bucket shows files linked to the malware dating back to November 2024. These include fake banking templates, screenshots of infected devices, and malicious PDFs. Some phishing pages even displayed content in Indonesian, which implies the malware is being customized for multiple regions.
Infiltration Tactics
The operators of RedHook rely heavily on social engineering and deceptive distribution channels. Fraudulent webpages mimic trusted institutions, including The State Bank of Vietnam, Saigon Thuong Tin Commercial Joint Stock Bank (Sacombank), The Vietnamese Traffic Police (CSGT), Central Power Corporation, and Official Vietnamese government portals.
Beyond phishing, RedHook may also be delivered through spam campaigns, malicious ads, pirated software, third-party app stores, and cracked activation tools.
Potential Consequences
If installed, RedHook can lead to:
- Severe privacy breaches (exposure of personal and financial data)
- Identity theft (through stolen ID documents and account details)
- Financial losses (via direct banking fraud)
- Chain infections (as the Trojan can deliver additional payloads)
This combination of RAT functions, phishing overlays, and credential theft makes RedHook one of the more dangerous Android banking trojans observed to date.
Defense Against RedHook and Similar Threats
To reduce the risk of infection, avoid downloading apps from unverified sources or links found in suspicious messages. You should also treat unexpected requests for sensitive data—such as ID uploads or 2FA codes—with skepticism, keep Android devices updated, and install apps only from official stores. Using reputable antivirus tools, keeping them updated, and performing regular scans is another recommendation
Final Thoughts
RedHook exemplifies the growing complexity of Android banking trojans. By abusing accessibility permissions, leveraging legitimate APIs, and adopting modular designs, these threats increasingly evade traditional detection. Cybercriminals behind RedHook are well-versed in both social engineering and technical subversion, making vigilance and proactive security measures essential for users across Vietnam and beyond.
