Stealthy Android Trojan Targets Vietnam Users

Cybersecurity researchers at Cyble Research and Intelligence Labs (CRIL) have uncovered a new Android banking trojan called RedHook that is actively targeting Vietnamese mobile users. The malware is distributed via carefully crafted phishing sites impersonating trusted financial and government agencies.

Once installed, RedHook delivers a dangerous combination of phishing, keylogging, and remote access capabilities, enabling full control over infected devices, yet it remains low‑profile with limited antivirus detection.

Decoding the RedHook Android Banking Trojan Campaign

CRIL first detected RedHook via a phishing website at sbvhn[.]com, which mimics the State Bank of Vietnam. The site lures users into downloading a trojanized APK (SBV.apk) from an exposed AWS S3 bucket (hxxps://nfe‑bucketapk.s3.ap‑southeast‑1.amazonaws[.]com/SBV.apk). The bucket, which has been public since November 2024, contained screenshots, phishing templates, and malware versions. It revealed that RedHook has been active since at least November 2024, with samples appearing in the wild by January 2025.

RedHook Stealthy Android Trojan — Phishing site distributing a malicious APK file (Source: Cyble)

RedHook’s infrastructure includes domains such as mailisa[.]me, previously associated with a Vietnamese cosmetic scam. That shift indicates the threat actor has evolved from social engineering fraud to wielding an Android banking trojan embedded in phishing sites.

Infection Workflow and Capabilities

After installation, the malware prompts the user for overlay access and Android accessibility services. These elevated permissions enable RedHook to perform a range of intrusive actions: launching overlay phishing pages, capturing all keystrokes (keylogging), exfiltrating contacts and SMS, and installing or uninstalling apps. The malware abuses Android’s MediaProjection API to capture the screen and streams images via WebSocket to the attacker’s control infrastructure.

RedHook maintains persistent WebSocket communication with its command‑and‑control (C2) server, using the subdomain skt9.iosgaxx423.xyz, while initial HTTP requests go to api9.iosgaxx423.xyz. The malware supports 34 distinct remote commands from the server, numbered actions that let operators collect device info, SMS, screenshots, send commands, trigger overlays, and more.

Technical Deep Dive

Upon launch, the malware presents a spoofed login page imitating the State Bank of Vietnam. Once credentials are entered, the trojan sends them to /auth/V2/login. In response, the server issues a JWT access token and client ID. Using these tokens, RedHook reports device specifics to /member/info/addDevice, including device ID, brand, orientation, and screen lock type, allowing the attacker to register and track each compromised device. At the time of the analysis, the number of returned user IDs had increased to 570, indicating over 500 infections.

RedHook’s phishing workflow unfolds in stages:

Victims are prompted to photograph and upload their citizen ID. The resulting image is transmitted to /file/upload/.
Users then provide bank name, account number, name, address, birthdate, and other personal data via templates that interestingly appear in Indonesian, not Vietnamese.
Finally, the victim is asked to enter a 4‑digit password and 6‑digit two‑step verification code.

Every keystroke entered is logged, tagged with app package name and foreground activity, and sent to the C2 server.

The RAT (Remote Access Trojan) capability is enabled via WebSocket connection over skt9. During this session, captured screen frames (converted to JPEG) are streamed live. The exposed S3 bucket contained screenshots showing the WebSocket session and Chinese‑language interface elements, implying a possible Chinese‑speaking threat actor. Chinese‑language strings also appear in the malware logs.

Exposed S3 bucket used by malware (Source: Cyble)

The AWS S3 bucket exposed RedHook’s phishing templates mimicking several well‑known Vietnamese targets, including Sacombank, Central Power Corporation, the traffic police (CSGT), and government portals.

Data exposed on open S3 bucket — Exposed data on open S3 bucket (Source: Cyble)

Icons and branding closely mirrored those institutions to deceive victims into trusting the phishing sites.

Attribution and Indicators

Several artifacts strongly suggest a Chinese-speaking origin: Chinese text is present throughout screenshots captured from the C2 interface, and internal code and log strings also contain Chinese language. Additionally, the staging domain mailisa[.]me has links to previous Vietnamese fraud campaigns, including one case where a victim lost over 1 billion VND after being redirected to MaiLisa salon-branded phishing content.

Malware receiving mailisa.me domain from the server (Source: Cyble)

Screenshots from an exposed data bucket referenced “MaiLisa Beauty Salon” and showed payments of 5.5 million VND to “DTMG TRADING CO. LTD D MAILISA,” closely resembling the earlier scam.

Exposed S3 bucket images associated with the MaiLisa Beauty Salon theme (Source: Cyble)

Together, these elements indicate a group likely operating from a Chinese-language background, evolving from basic scams to deploying RedHook, a sophisticated Android banking trojan, through phishing sites.

Conclusion

RedHook represents a dangerous shift in Android malware, combining phishing, remote access, and surveillance to target users, especially in Vietnam, while evading detection through spoofed sites and sideloaded APKs. Its advanced features and low VirusTotal visibility make it highly stealthy.

To combat threats like RedHook, users should avoid installing apps from unknown sources, be cautious of suspicious permission requests, and use behavior-based mobile security. Institutions must proactively share threat intelligence to disrupt mobile attack infrastructure.

Source link