An alarming new cyberattack has emerged in Vietnam, in which the attacker uses RedHook to disguise himself under the guise of major state agencies and financial institutions. Through carefully designed scam websites, RedHook targets ordinary users to steal personal data, bank accounts and gain full control over the device.

RedHook is Android malware that was intentionally released in Vietnam through forging state agencies, distributing APK files via fraudulent SMS, QR codes, fake ads, and hosting on AWS. Upon entering the device, the RedHook was able to fully control the system, collect OTP, personal data, bank accounts, and execute remote control commands to a level WhiteHat experts rated as “alarmful”.

The fake websites were carefully designed to trick users into believing they were downloading the official app, while in fact APK files containing RedHook malware were stored on the public AWS S3 service and distributed via fake domains, allowing the attacker to easily change infrastructure and adjust the campaign to the target.

WhiteHat experts consider the RedHook to be particularly dangerous because it has the ability to hide from antivirus software with very low detection rates as of now, causing many devices to be infected without their knowledge. The malware also targeted users in Southeast Asia, a region with high levels of dependence on mobile devices in financial transactions, increasing the risk of data and asset loss. In addition, the RedHook distribution campaign re-used fake samples in various languages, suggesting the possibility of expansion to other regions around the globe in the future.

How does the Red Hook work?​

Cyber security researchers have uncovered many clues that the attack campaign was linked to Chinese – speaking groups. Specifically, malicious application source code and evidence from a public S3 bucket suggest this was the behavior of a Chinese-speaking attacker or group. Multiple strings of Chinese text appear in WebSocket interface logs and photographs, providing clues as to the source of the malicious code.

The S3 Bucket, active since at least November 2024, contains large amounts of operating data such as fake bank interface templates, photos of fraud stages, and documents related to campaigns targeting users in Vietnam.

Of note, a link was established to the domain name mailisa[.]me, which has been implicated in large – scale cosmetic fraud cases in Vietnam. This suggests that the attacker has moved from simple forms of fraud to using sophisticated malware to expand the scale and level of harm.

1. Fool the user from the start​

Shortly after installation, RedHook forged the login interface of familiar banks to trick users into entering account information. At the same time, it lures users to grant high – level permissions, including:

• Accessibility Services: open user support settings.
• Overlay Permission: overriding visibility over other applications.

By virtue of these permissions, RedHook is able to remain hidden, deeply interfered with applications, and bypass many of Android’s standard protections.

2. Record remote device operation and control​

RedHook uses the MediaProjection API – an Android legal tool for returning to the screen and transmitting data in real time back to the control server (C2) via the WebSocket, a powerful two – way communication channel that is rare in conventional malicious code. This way, the attacker can track and manipulate the victim’s device directly as if it were in his or her hands.

3. Over 30 highly dangerous remote control commands.​

Technical analysis shows that the RedHook can execute up to 34 different control commands, including those that are particularly dangerous:

• Download and install an APK file: Enables hackers to install additional malware, backdoor, or other spyware without user consent.
• Opens accessibility service: This allows malware to control the entire device, automatically press buttons, read screen contents, and ignore security warnings. This is the most abused core right in banking trojans.
• Starts screen capturing: Enables the hacker to view all user activity on the phone (entry of password, OTP, account information, messages, etc.).
• Collects SMS list: Can steal OTP codes, verify bank, or read important notifications such as transaction messages.

White Hat Experts recommend

1. Personal users:

• Never install an app other than Google Play or reputable sources; this is a common way to spread malicious code such as RedHook.
• Don’t install APK files from unknown sources, especially if they’re received via SMS, QR codes, Zalo, Facebook, or unofficial sites.
• Be wary of fake websites that look like banks but require you to download an APK app.
• Be wary of apps that ask for unusual system permissions, such as: Accessibility, Overlay, or screen recording.
• Always update your operating system and security software, even on older devices, to fix vulnerabilities that can be exploited.

2. Government and organizations/enterprises

• Strengthen monitoring and detection of malicious code on user’s devices, especially unusual behaviors related to system rights.
• Alert your users of new attacks such as RedHook via email, SMS, and official apps.
• Threatening intelligence is used to quickly detect, warn, and prevent transmission.
• Collaborate with service providers such as AWS to remove the bucket or domain name used to spread malicious code.
• Issue internal emergency warnings and review the system of forged domain names, and update attack identification (IOC) indicators for timely monitoring and handling.

The RedHook is no isolated case, a clear wake – up call that mobile devices, which we use every day to trade and store personal information, are becoming prime targets of attack. When a single installation operation is rushed or without thorough investigation, users may make a trade – off of all data and assets.

Vigilance is no longer an option but a requirement in the digital age.