Executive Summary

Cyble Research and Intelligence Labs (CRIL) discovered ‘RedHook’, a sophisticated Android banking trojan targeting Vietnamese users through spoofed government and financial websites. It communicates to the command-and-control (C2) server using WebSocket and supports over 30 remote commands, enabling complete control over compromised devices. Code artifacts, including Chinese-language strings, suggest development by a Chinese-speaking threat actor or group.

Despite its capabilities, RedHook currently has low antivirus detection, making it an active and stealthy threat in the region.

Key Takeaways

• RedHook is a newly identified Android banking trojan targeting Vietnamese users through phishing sites impersonating trusted financial and government institutions.
• The malware combines phishing, RAT, and keylogging capabilities to exfiltrate credentials and carry out fraud.
• It abuses Android’s MediaProjection API to capture screen content and sends data via WebSocket to a live C2 server.
• RedHook supports 34 server-issued commands, enabling complete remote control of the infected device.
• An exposed AWS S3 bucket used by the threat actor revealed screenshots, fake templates, and infrastructure dating back to November 2024.
• The domain mailisa[.]me, linked to previous scam campaigns targeting Vietnamese users, indicates a shift from fraud operations to a sophisticated Android banking trojan.
• The malware displays Chinese-language artifacts, indicating a likely Chinese-speaking origin of the threat actor or developer group.
• Despite its advanced capabilities, RedHook currently has low detection on VirusTotal, making it a stealthy and active threat in the wild.

Overview

In the constantly evolving cyber threat landscape, financial institutions remain prime targets for threat actors seeking to exploit unsuspecting users. Recently, Cyble Research and Intelligence Labs (CRIL) uncovered a new Android banking trojan, which we are referring to as “RedHook” based on its origin and the techniques it employs. This malware is distributed through a phishing website, sbvhn[.]com, which impersonates the State Bank of Vietnam. The site tricks users into downloading a malicious APK disguised as a legitimate banking app hosted on an AWS S3 bucket at hxxps://nfe-bucketapk.s3.ap-southeast-1.amazonaws[.]com/SBV.apk (see Figure 1).

Once installed on the victim’s device, the RedHook malware can perform the following actions:

1. Prompt the user to enable accessibility services and grant overlay permissions.
2. Launch phishing attacks to harvest sensitive information, including identity documents and banking credentials.
3. Establish a WebSocket connection to enable Remote Access Trojan (RAT) capabilities.
4. Through its RAT functionality, the malware can perform various operations such as collecting SMS messages and contacts, executing automated actions, installing or uninstalling applications, capturing screenshots, and more.

A detailed breakdown of these capabilities is provided in the Technical Analysis section.

Further analysis uncovered more samples of this banking trojan posing as other trusted Vietnamese entities like Sacombank, Central Power Corporation, CSGT (Traffic Police of Vietnam), and the Government of Vietnam. (See Figure 2).

These malicious apps use familiar icons and branding to deceive users and trick them into submitting sensitive personal and financial information.

RedHook leveraged a publicly accessible AWS S3 bucket to store exfiltrated images and operational data. The bucket has been active since November 2024 and offered a detailed look into RedHook’s operational toolkit. The exposed data included uploaded screenshots, fake banking templates, PDF documents, and images highlighting the malware’s behavior, such as permission prompts, phishing screens, WebSocket interface, and various malware versions. (See Figure 3 and Figure 4).

Activity on the S3 bucket suggests that RedHook has been active since at least November 2024, with malware samples first observed in the wild by January 2025. Despite its capabilities, RedHook remains a relatively new threat and currently shows low detection rates on VirusTotal. (see Figure 5).

The malware contained Chinese-language strings in its logs, and several screenshots from the exposed S3 bucket also featured Chinese text. These elements suggest that RedHook was likely developed by a Chinese-speaking threat actor or group. (see Figure 6).

We also identified a domain mailisa[.]me, which the malware attempts to load within a WebView component. (see Figure 7).

Although the domain was inactive at the time of analysis, OSINT linked it to a Vietnamese news report, which linked it to a prior scam. In that incident, the victim was contacted via Facebook and enticed to purchase discounted cosmetic products. After transferring over 1 billion VND and receiving nothing, a refund request led to a redirection to mailisa[.]me, where the victim was deceived again, resulting in further financial loss.

Correlating this with the screenshots found in the exposed AWS S3 bucket included references to “MaiLisa” beauty salon and a transaction receipt showing a 5.5 million VND payment to “DTMG TRADING CO. LTD D MAILISA”. The structure of this beneficiary name aligns closely with those mentioned in the news report. (see Figure 8).

These findings suggest a connection between the incidents, indicating that the threat actor has evolved its tactics, from relying on social engineering scams to leveraging malware like RedHook to increase financial theft and fraud further.

Redhook Technical Analysis

Once RedHook is installed on a device, it immediately presents a phishing page spoofing the State Bank of Vietnam, prompting users to enter their login credentials. It then requests access to media files, likely to establish broader permissions. It then escalates its control by prompting the user to enable accessibility services and allow overlay permissions. (See Figure 9).

This specific combination of permissions is characteristic of Android banking trojans. It enables the malware to silently monitor user activity, manipulate on-screen content, and bypass standard security mechanisms—all while minimizing user suspicion.

After the user submits their credentials, RedHook transmits the data to its command-and-control (C2) server “api9[.]iosgaxx423.xyz/auth/V2/login”. In response, the server returns a JWT access token and a client ID. These are used to construct custom request headers for ongoing communication with the C&C infrastructure, allowing the malware to send additional data and receive further instructions. (see Figure 10).

RedHook sends detailed device information to the endpoint /member/info/addDevice, including parameters such as device number, lock type, brand, and screen orientation. This request is authenticated using custom headers built with the previously obtained access token and client ID, enabling the C&C server to register and track the infected device. (See Figure 11).

RedHook then issues a follow-up request to retrieve client information from the C&C server, including the username, user ID, device code, invite code, and select financial data. Notably, the user ID returned in the response appears to increment sequentially with each new infection, effectively serving as a counter for compromised devices. At the time of analysis, the ID had reached 570, indicating that over 500 devices had likely been infected.

Phishing Workflow

RedHook employs a series of phishing steps specifically designed to harvest banking credentials. The sequence begins with an identity verification prompt, where the victim is instructed to capture and upload a photo of their citizen ID card. Once submitted, the image is exfiltrated to the command-and-control server via the /file/upload/ endpoint. (See Figure 13).

After completing the initial ID verification, it advances to the next phishing phase, where the user is prompted to provide additional personal and banking details, such as the bank name, account number, full name, address, date of birth, and other sensitive information. (See Figure 14).

Notably, the phishing interface appears in Indonesian, suggesting that the threat actor may reuse templates for a different target audience. The absence of Vietnamese translations indicates that the malware is still in an early stage of development and may not have been fully customized for its intended victims.

After gathering the banking details, the malware launches a phishing step to collect a 4-digit password and a 6-digit two-step verification code. (see Figure 15).

Keylogging Capabilities

Beyond phishing, RedHook also incorporates keylogging functionality, capturing every keystroke the victim enters. Each log is accompanied by the relevant application package name and the active page’s class name, and is transmitted to the command-and-control server (see Figure 16).

Remote Access Trojan (RAT) via WebSocket

RedHook leverages a WebSocket connection for its Remote Access Trojan (RAT) functionality, using an alternate subdomain of the same C&C infrastructure — “skt9.iosgaxx423.xyz”. The connection is kept alive through periodic ping and pong messages. (see Figure 17).

It leverages Android’s MediaProjection API to initiate screen capture, converting the captured content into JPEG images. These images are transmitted continuously to the C&C server via a WebSocket connection. (see Figure 18).

This functionality enables the threat actor to monitor the victim’s activity closely and provides a clear view for remotely interacting with the victim’s device.

During the analysis, we identified 34 distinct commands that RedHook can execute based on the server’s instructions. The malware interprets these commands as numerical values. The complete list of commands and descriptions is provided in the table below.

The public AWS S3 bucket used by the attacker contained a screenshot of a WebSocket communication written in Chinese. (see Figure 19)

Figure 19 – Exposed image on AWS S3 bucket displays the WebSocket connection with RAT functionality

By leveraging these combined capabilities, like phishing, keylogging, screen capture, RAT, and elevated permissions, RedHook grants threat actors complete remote control over infected devices. This enables the systematic harvesting of sensitive information and executing financial fraud directly on the victim’s device, often without raising suspicion.

Conclusion

The discovery of RedHook highlights the growing sophistication of Android banking trojans that combine phishing, remote access, and keylogging to carry out financial fraud. By leveraging legitimate Android APIs and abusing accessibility permissions, RedHook stealthily gains deep control over infected devices while remaining under the radar of many security solutions.

Android users should prioritize robust mobile threat detection measures, especially in high-risk regions. This case also highlights the growing need for proactive intelligence sharing and coordinated rapid response frameworks to contain emerging mobile threats before they escalate in scale and impact.

Cyble’s Threat Intelligence Platforms continuously monitor emerging threats, phishing infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Install Apps Only from Trusted Sources:
  Download apps exclusively from official platforms like the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
• Be Cautious with Permissions:
  Never grant accessibility services or overlay permissions unless you’re certain of an app’s legitimacy.
• Watch for Phishing Pages:
  Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
• Enable Two-Factor Authentication (2FA):
  Use 2FA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
• Report Suspicious Activity:
  If you suspect you’ve been targeted or infected, report the incident to your bank and local authorities immediately. If necessary, reset your credentials and perform a factory reset.
• Use Mobile Security Solutions:
  Install a mobile security application that includes real-time scanning.
• Keep Your Device Updated:
   Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities exploited by malware.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)