RedHook is a sophisticated Android banking Trojan specifically targeting users in Vietnam by leveraging spoofed government and financial websites to lure victims. The malware establishes communication with its command-and-control (C2) infrastructure using WebSocket protocol, which allows for persistent, real-time bi-directional communication. RedHook supports over 30 remote commands, granting attackers extensive control over infected devices. Its capabilities include phishing to deceive users into divulging sensitive information, Remote Access Trojan (RAT) functionalities to control devices remotely, and keylogging to capture user input such as credentials. Notably, RedHook abuses Android's MediaProjection API to capture screen content stealthily, sending this data live to the C2 server, which enhances its ability to harvest sensitive information beyond just keystrokes. The malware maintains a low detection rate by antivirus solutions, increasing its stealth and persistence. Code analysis indicates the threat actor or group behind RedHook is likely Chinese-speaking, and operational data exposed via an unsecured AWS S3 bucket reveals that the campaign has been active since at least November 2024. This marks a strategic shift from previous scam campaigns to a more advanced and targeted banking Trojan. Indicators of compromise include multiple file hashes and suspicious domains associated with the malware's infrastructure.

For European organizations, the direct impact of RedHook is currently limited due to its targeting of Vietnamese users and Vietnamese financial/government institutions. However, the presence of such a sophisticated Android banking Trojan highlights the evolving threat landscape that could potentially expand geographically or inspire similar campaigns targeting European users. If adapted or spread to European markets, RedHook could compromise user credentials, enable financial fraud, and lead to unauthorized access to corporate or personal financial accounts. The abuse of Android's MediaProjection API and RAT capabilities poses a significant risk to confidentiality and privacy, potentially exposing sensitive corporate data or personal information. Additionally, the low detection rate suggests that current security solutions might fail to detect or prevent infections, increasing the risk of prolonged undetected compromise. European organizations with business or personnel connections to Vietnam or those employing Android devices in sensitive roles should be particularly vigilant.

1. Implement advanced mobile threat defense solutions capable of detecting sophisticated banking Trojans and monitoring unusual app behaviors, including unauthorized use of MediaProjection API. 2. Educate users, especially those with connections to Vietnam or handling sensitive financial data, about phishing risks and the dangers of installing apps from untrusted sources or clicking on suspicious links, particularly those mimicking government or financial institutions. 3. Employ network monitoring to detect anomalous WebSocket traffic patterns indicative of C2 communication. 4. Regularly audit and secure cloud storage environments (e.g., AWS S3 buckets) to prevent accidental exposure of operational data that could aid attackers. 5. Enforce strict app vetting policies on corporate Android devices, including restricting installation to verified apps and using Mobile Application Management (MAM) tools. 6. Monitor threat intelligence feeds for updates on RedHook and related indicators of compromise (IOCs) such as file hashes and domains, and integrate these into endpoint detection and response (EDR) and security information and event management (SIEM) systems. 7. Encourage multi-factor authentication (MFA) on all financial and sensitive accounts to reduce the impact of credential theft.