Android Banking Malware Masquerades as Government Agencies to Attack Users

Cyble Research and Intelligence Labs (CRIL) has uncovered a sophisticated Android banking trojan dubbed RedHook, which disguises itself as legitimate applications from Vietnamese government and financial institutions to deceive users.

This malware, first observed in the wild around January 2025, exploits phishing websites mimicking entities like the State Bank of Vietnam, Sacombank, Central Power Corporation, Traffic Police of Vietnam, and even the Government of Vietnam.

Distributed via deceptive domains such as sbvhn[.]com and hosted on AWS S3 buckets, RedHook tricks users into downloading malicious APKs that appear as official banking apps.

Discovery of RedHook Trojan

Once installed, it prompts victims to enable accessibility services and overlay permissions, granting it extensive control over the device.

This combination of permissions allows the trojan to monitor user activities silently, overlay fake interfaces, and bypass security protocols, making it a potent tool for credential theft and financial fraud.

RedHook’s capabilities extend beyond basic phishing, incorporating remote access trojan (RAT) functionalities, keylogging, and screen capture via Android’s MediaProjection API.

It establishes a persistent WebSocket connection to command-and-control (C2) servers like api9[.]iosgaxx423.xyz and skt9[.]iosgaxx423.xyz, enabling real-time communication and execution of over 30 commands.

These commands range from collecting device information, SMS messages, and contacts to performing gestures like swipes, clicks, and text input, as well as installing or uninstalling apps, capturing screenshots, and even rebooting the device.

The malware’s phishing workflow is meticulously designed: it starts with fake identity verification prompts requiring uploads of citizen ID photos, followed by requests for banking details, passwords, and two-step verification codes.

Keylogs, tagged with application package names and active class details, are exfiltrated to the C2, while continuous screen streaming via JPEG images allows threat actors to remotely interact with the device.

Code artifacts, including Chinese-language strings in logs and exposed screenshots from an open AWS S3 bucket active since November 2024, point to a Chinese-speaking developer or group behind RedHook.

This bucket revealed operational data like fake templates, phishing interfaces, and evidence linking to prior scams via the domain mailisa[.]me, indicating an evolution from social engineering fraud to advanced malware-driven attacks.

Broader Implications

Despite its advanced features, RedHook maintains low detection rates on platforms like VirusTotal, underscoring its stealthy nature and the challenges in mobile threat landscapes. Analysis shows it has infected over 500 devices, with user IDs incrementing sequentially upon compromise.

The trojan abuses legitimate APIs for defense evasion, such as masquerading as trusted apps and injecting inputs to mimic user interactions, aligning with MITRE ATT&CK techniques like Phishing (T1660), Input Injection (T1516), and Screen Capture (T1513).

It collects protected data, including SMS (T1636.004) and contacts (T1636.003), exfiltrating via HTTP-based C2 channels (T1437.001). This enables systematic harvesting of sensitive information for fraudulent transactions, often without victim awareness.

The emergence of RedHook highlights the escalating sophistication of Android banking trojans in high-risk regions like Vietnam, blending phishing, RAT, and keylogging for comprehensive device control.

Cybersecurity experts recommend downloading apps only from official sources, scrutinizing permission requests, enabling two-factor authentication, and using mobile security solutions with real-time scanning.

Keeping devices updated with security patches is crucial to mitigate vulnerabilities. Proactive threat intelligence, including monitoring dark web activities, is essential for early detection and response to such evolving cyber threats.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!