All of Southeast Asia, including Vietnam, was in a panic after the emergence of a dangerous piece of malware called RedHook, whose goal: to forge applications of state agencies and banks in Vietnam to trick Android users into installing malware, thereby stealing personal information, bank accounts and even risking remote monitoring of the device.

1753867489676.png

At the time of the RedHook vulnerability analysis, the C2 server system for which the malicious code contacted the system had returned a total of 570 user IDs. Each user ID corresponds to a device that has been hacked and sent data to the server.

This figure indicates that at least 570 Android devices have been infected with the malware, not to mention cases that have not been recorded or have not yet connected to the server. As a result, the actual number may be higher, and 570 user IDs are only short-term gains, in a given sample of malicious code distribution infrastructure, reflecting the increasing rate of infection.

This is a clear indication that Red Hook’s offensive has surpassed the experimental scale and is taking place in reality with alarming numbers of victims.

1753865602129.png

The App uses WebSocket to connect to many external C2 servers

Why users need to be especially vigilant?

  • Vietnamese people have a habit of trusting apps with government or bank logos, which are being taken advantage of by bad people.
  • Unwanted apps can steal OTP codes, log into a bank account, read messages, and record on – screen actions.
  • The target of attack may be a casual or dangerous user if it is a state official or employee, posing a risk of sensitive information leakage or being monitored by spies.
1753865109123.png

Malware download button

How the Red Hook Works

RedHook acts as a sophisticated forgery app, masquerading as state agency, bank, or online public service apps to trick Android users into downloading from forged websites, SMS messages, or social media. Once installed, the app requires the user to grant “Accessibility” permissions which allow on – screen tracking and manipulation along with “Show on another app” permissions to create a fake interface such as a bank login screen. When the user inadvertently enters information, malicious code will steal the data and send it to a remote server overseas via the WebSocket protocol, a data transfer technique that is difficult to detect by traditional security solutions.

1753865694498.png


After downloading the fake app, there will be a message asking for access,
Tapping “allow” will allow you to interact with apps on your phone.
This app requires permission to access the photos but actually “legged” requires access to services.

1753865731431.png

The fake app interacts with the other apps on the victim’s phone, but is actually “mocking” them.

Is this some sort of sophisticated conspiracy by an organized, intelligent hacker group?

From WhiteHat’s perspective based on reports and sophisticated “profile” of the RedHook, it appears that this is not merely a routine personal hoax, but shows signs of a well – planned organized cyberattack campaign.

Because the goal may not only be to steal personal information or to appropriate property, but it may also involve cyber espionage if the user is, unfortunately, a government official or public service user.

The application source code contained numerous Chinese – language notes, indicating the possibility that the malicious code originated from a foreign development group, possibly in the Chinese region. While techniques such as forging websites or government apps are not new, they can be extremely effective for wary users, especially elderly people who are less tech savvy or who are in need of online public services. This is a serious threat, which needs to be widely warned in the community.

1753865511946.png

App uses Chinese to record logs

What do people need to do to protect themselves?

Do not download an app from an unknown link

  • Never install an app over text, social media, or an unofficial website.
  • Install only apps from CH Play (Google Play Store).

Check application permissions

  • Don’t grant “Support” or “Display on other apps” permissions if you do n’The Purpose.

Be wary of apps that look like banks or governments

  • Double – check the app’s name and the manufacturer.
  • If in doubt, do not log in with any information, including your phone number, OTP.

Remove if suspected.

  • If you see an unusual activity on your phone (unrecognizable display, unknown permissions, automatic activation), disconnect the network, remove the app, and reinstall the security software.

What is the government doing to protect its people?

  • The Vietnamese government, through the Ministry of Information and Communications (TT&T) and the National Center for Cyber Security Surveillance (NCSC), is actively monitoring cyber space 24/7. The national technical system is capable of detecting and requesting to block websites containing malicious code, scams, forgery of banks, state agencies, etc. before people are affected.
  • Focus on disseminating cybersecurity knowledge to the people, especially vulnerable groups such as the elderly, students and officials in remote areas. The campaigns were implemented via television, newspapers, social networks to reach diverse strata.
  • In addition to state agencies, many organizations such as the WhiteHat Network Security Community work day and night with agencies, technology and cybersecurity alliances to early detect cyber threats. The participation of communities and businesses contributes to the formation of an early warning network, which together protect digital safety for people.

Anyone can be a victim. A quick act of vigilance can prevent a “risk” for family and agency in a timely manner.