Researchers at Cyble Research and Intelligence Labs have identified a new Android banking Trojan called RedHook actively targeting Vietnamese users via phishing websites impersonating trusted financial and government institutions. The malware grants attackers remote access, keylogging, and phishing capabilities, allowing comprehensive control over infected devices while evading most antivirus detection.
RedHook’s distribution relies on malicious APK files hosted on an exposed AWS S3 bucket, enabling over 500 infections since late 2024. Technical analysis indicates the threat actors use Chinese-language infrastructure and have links to previous Vietnamese fraud campaigns, suggesting a sophisticated, evolving operation. The presence of Indonesian language phishing templates suggests potential or ongoing targeting beyond Vietnam within Southeast Asia.
Keypoints:
- RedHook’s phishing templates include Indonesian language, highlighting a direct potential threat to Indonesian users and financial systems.
- The malware spreads through fraudulent websites mimicking legitimate Vietnamese financial institutions.
- Infection grants attackers remote control and the ability to record keystrokes, capture screen activity, and steal sensitive personal data.
- The malware employs Android accessibility services and MediaProjection APIs for persistent and intrusive data capture.
- Communication with command-and-control servers occurs over persistent WebSocket connections enabling 34 distinct remote commands.
- The operational infrastructure shows Chinese-language artifacts, indicating possible origin from Chinese-speaking threat actors.
- Exploitation of publicly exposed cloud storage significantly facilitated distribution of malicious payloads.
- Over 500 infections have been documented, underscoring the malware’s rapid spread and impact.
Relationship Between the Article and Indonesia, and Recommended Actions:
Although currently targeting Vietnamese victims, the inclusion of Indonesian-language phishing templates signals a direct risk to Indonesia’s mobile banking ecosystem, which shares a similar digital banking environment vulnerable to such threats. Indonesian authorities must rapidly enhance monitoring of phishing sites and malicious APK files targeting their population, specifically focusing on mobile malware. Financial institutions and regulatory bodies should reinforce secure user authentication methods, discourage APK sideloading, and collaborate with cybersecurity researchers to detect emerging threats. The government should also implement stricter regulations for cloud storage security to prevent public exposure of malware distribution infrastructure, and promote timely threat intelligence sharing across regional partners to prevent cross-border cybercriminal activity.
What Indonesian Citizens Should Know and Do:
Indonesian mobile users should be cautious of unsolicited messages or websites requesting banking credentials or personal information, especially those urging the download of APK files from unofficial sources. Given RedHook’s use of phishing sites mimicking trusted institutions in multiple languages, users must verify URLs and avoid entering sensitive data on suspicious platforms. If prompted for uploading identity documents or two-factor authentication codes on unfamiliar websites, citizens should verify legitimacy through official channels before proceeding. Prompt reporting of suspicious activity to local cybercrime units can significantly contribute to early detection and containment of similar malware threats.
Source:
https://thecyberexpress.com/redhook-android-banking-trojan-exploiting
https://cyble.com/blog/redhook-new-android-banking-targeting-in-vietnam