Cyble Analysis and Intelligence Labs (CRIL) has uncovered a complicated Android banking trojan dubbed RedHook, which disguises itself as reliable purposes from Vietnamese authorities and monetary establishments to deceive customers.<\/p>\n
This malware, first noticed within the wild round January 2025, exploits phishing web sites mimicking entities just like the State Financial institution of Vietnam, Sacombank, Central Energy Company, Visitors Police of Vietnam, and even the Authorities of Vietnam. <\/p>\n
Distributed by way of misleading domains reminiscent of sbvhn[.]com and hosted on AWS S3 buckets, RedHook methods customers into downloading malicious APKs that seem as official banking apps. <\/p>\n
Discovery of RedHook Trojan <\/strong><\/h2>\nAs soon as put in, it prompts victims to allow accessibility providers and overlay permissions, granting it in depth management over the gadget. <\/p>\n
This mixture of permissions permits the trojan to observe consumer actions silently, overlay pretend interfaces, and bypass safety protocols, making it a potent device for credential theft and monetary fraud.<\/p>\n
RedHook\u2019s capabilities lengthen past fundamental phishing, incorporating distant entry trojan (RAT) functionalities, keylogging<\/a>, and display screen seize by way of Android\u2019s MediaProjection API. <\/p>\n\n![\"Android](\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_qmTNraQ6kv_oiwH4w-88XkQIbiqblt3OCTd6jObup4GEGSMjeMW3Dz5J0bXOiJnfmQTexI1WjyMCdVH9OdTxo8JhxKY8qSt40Tefe-uPbaw0lSABiT4B6ma7rDAoNLmHXzlld9n19Hm7WY6R5Uu4f7EVpO99JpPraKgVqUnsTsxY9iCYwwsXcqE_cYs\/s16000\/Phishing%20site%20distributing%20a%20malicious%20APK%20file.webp\")
Phishing website distributing a malicious APK file<\/em><\/figcaption><\/figure>\n<\/div>\nIt establishes a persistent WebSocket connection to command-and-control (C2) servers like api9[.]iosgaxx423.xyz and skt9[.]iosgaxx423.xyz, enabling real-time communication and execution of over 30 instructions. <\/p>\n
These instructions vary from accumulating gadget data, SMS messages, and contacts to performing gestures like swipes, clicks, and textual content enter, in addition to putting in or uninstalling apps, capturing screenshots, and even rebooting the gadget. <\/p>\n
The malware\u2019s phishing workflow is meticulously designed: it begins with pretend identification verification prompts requiring uploads of citizen ID images, adopted by requests for banking particulars, passwords, and two-step verification codes. <\/p>\n
Keylogs, tagged with software package deal names and energetic class particulars, are exfiltrated to the C2, whereas steady display screen streaming by way of JPEG pictures permits risk actors to remotely work together with the gadget. <\/p>\n
Code artifacts, together with Chinese language-language strings in logs and uncovered screenshots from an open AWS S3 bucket<\/a> energetic since November 2024, level to a Chinese language-speaking developer or group behind RedHook. <\/p>\n\n![\"Android](\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjHnCWbJwBkBpAh-xss2gDVMg5EkZPurzdcLoDeCpAUxDBQdpnf1_lZBH2Fdb9KATFGh_bFZJlJnrWpeOxI8hZnhH5DAUfSgBaYeI-M4u7za59DTyN-_gSyaknLv2UA5msWplc2tEMxoUESZ8k_iDzTFVtf6a9bRq_Az7tQpm9sh49_mX0IXB2baNkvK2k\/s16000\/Data%20exposed%20on%20open%20S3%20bucket.webp\")
Information uncovered on open S3 bucket<\/em><\/figcaption><\/figure>\n<\/div>\nThis bucket revealed<\/a> operational information like pretend templates, phishing interfaces, and proof linking to prior scams by way of the area mailisa[.]me, indicating an evolution from social engineering fraud to superior malware-driven assaults.<\/p>\nBroader Implications<\/strong><\/h2>\nRegardless of its superior options, RedHook maintains low detection charges on platforms like VirusTotal, underscoring its stealthy nature and the challenges in cellular risk landscapes. Evaluation exhibits it has contaminated over 500 units, with consumer IDs incrementing sequentially upon compromise. <\/p>\n
The trojan abuses reliable APIs for protection evasion, reminiscent of masquerading as trusted apps and injecting inputs to imitate consumer interactions, aligning with MITRE ATT&CK methods like Phishing (T1660), Enter Injection (T1516), and Display screen Seize (T1513). <\/p>\n
It collects protected information, together with SMS (T1636.004) and contacts (T1636.003), exfiltrating by way of HTTP-based C2 channels (T1437.001). This allows systematic harvesting of delicate data for fraudulent transactions, typically with out sufferer consciousness.<\/p>\n
The emergence of RedHook highlights the escalating sophistication of Android banking trojans in high-risk areas like Vietnam, mixing phishing, RAT, and keylogging for complete gadget management. <\/p>\n
Cybersecurity specialists suggest downloading apps solely from official sources, scrutinizing permission requests, enabling two-factor authentication, and utilizing cellular safety options with real-time scanning. <\/p>\n
Retaining units up to date with safety patches is essential to mitigate vulnerabilities. Proactive risk intelligence, together with monitoring darkish internet actions, is important for early detection and response to such evolving cyber threats.<\/p>\n
Indicators of Compromise (IOCs)<\/strong><\/h2>\n\n
It establishes a persistent WebSocket connection to command-and-control (C2) servers like api9[.]iosgaxx423.xyz and skt9[.]iosgaxx423.xyz, enabling real-time communication and execution of over 30 instructions. <\/p>\n
These instructions vary from accumulating gadget data, SMS messages, and contacts to performing gestures like swipes, clicks, and textual content enter, in addition to putting in or uninstalling apps, capturing screenshots, and even rebooting the gadget. <\/p>\n
The malware\u2019s phishing workflow is meticulously designed: it begins with pretend identification verification prompts requiring uploads of citizen ID images, adopted by requests for banking particulars, passwords, and two-step verification codes. <\/p>\n
Keylogs, tagged with software package deal names and energetic class particulars, are exfiltrated to the C2, whereas steady display screen streaming by way of JPEG pictures permits risk actors to remotely work together with the gadget. <\/p>\n
Code artifacts, together with Chinese language-language strings in logs and uncovered screenshots from an open AWS S3 bucket<\/a> energetic since November 2024, level to a Chinese language-speaking developer or group behind RedHook. <\/p>\n This bucket revealed<\/a> operational information like pretend templates, phishing interfaces, and proof linking to prior scams by way of the area mailisa[.]me, indicating an evolution from social engineering fraud to superior malware-driven assaults.<\/p>\n Regardless of its superior options, RedHook maintains low detection charges on platforms like VirusTotal, underscoring its stealthy nature and the challenges in cellular risk landscapes. Evaluation exhibits it has contaminated over 500 units, with consumer IDs incrementing sequentially upon compromise. <\/p>\n The trojan abuses reliable APIs for protection evasion, reminiscent of masquerading as trusted apps and injecting inputs to imitate consumer interactions, aligning with MITRE ATT&CK methods like Phishing (T1660), Enter Injection (T1516), and Display screen Seize (T1513). <\/p>\n It collects protected information, together with SMS (T1636.004) and contacts (T1636.003), exfiltrating by way of HTTP-based C2 channels (T1437.001). This allows systematic harvesting of delicate data for fraudulent transactions, typically with out sufferer consciousness.<\/p>\n The emergence of RedHook highlights the escalating sophistication of Android banking trojans in high-risk areas like Vietnam, mixing phishing, RAT, and keylogging for complete gadget management. <\/p>\n Cybersecurity specialists suggest downloading apps solely from official sources, scrutinizing permission requests, enabling two-factor authentication, and utilizing cellular safety options with real-time scanning. <\/p>\n Retaining units up to date with safety patches is essential to mitigate vulnerabilities. Proactive risk intelligence, together with monitoring darkish internet actions, is important for early detection and response to such evolving cyber threats.<\/p>\nBroader Implications<\/strong><\/h2>\n
Indicators of Compromise (IOCs)<\/strong><\/h2>\n