RedHook Banking Trojan

Beware: This Android malware can hijack your device, steal banking credentials, and give attackers full remote access.

Threat Summary

How Did RedHook Banking Trojan Get In?

The RedHook trojan spreads primarily through fake websites impersonating trusted Vietnamese organizations—like the State Bank, regional banks, and even traffic police portals. These phishing pages prompt users to download what looks like an official mobile app, but it’s a malicious APK file.

Once sideloaded onto an Android device, RedHook requests permissions that seem legitimate but give it full access to your data, screen, and interactions. The APKs are often hosted on public cloud storage services, making them easily accessible to victims.

What RedHook Banking Trojan Does on Your Android Device

RedHook is designed to silently harvest personal and financial data while maintaining stealth and control. Here’s what it does once installed:

• Permission Abuse: Requests Android Accessibility, screen overlay, and media permissions to track your input and interactions.
• Credential Theft: Creates fake login overlays for banks and payment apps to steal your usernames, passwords, and 2FA codes.
• Remote Access Tools (RAT): Connects to a command-and-control server via WebSocket and supports over 30 commands, including:
  • Sending and reading SMS
  • Installing/uninstalling apps
  • Capturing screen activity
  • Taking photos
  • Reading clipboard data
  • Locking/rebooting the device
• Data Harvesting: Steals contact lists, personal messages, ID photos, and banking information in real time.
• Anti-Detection Techniques: Uses modular design, sandbox evasion, and obfuscation to hide from mobile security software.

Should You Be Worried About RedHook Banking Trojan?

Absolutely. RedHook isn’t just another sketchy app—it’s a serious cyberthreat with the potential to:

• Hijack your online banking activity in real time
• Bypass security features and simulate your input
• Steal both personal and financial information, including national ID photos
• Control your phone remotely with powerful RAT features

This trojan is highly active in Vietnam, but similar campaigns could target other regions using localized phishing pages and translated UIs.

Removal Steps

1. Uninstall the Malicious App
   • Go to Settings → Apps
   • Look for any unfamiliar or suspicious app (often disguised as a financial or government app)
   • Tap and uninstall
   • If blocked, restart your phone in Safe Mode and try again
2. Revoke Malicious Permissions
   • Go to Settings → Accessibility and disable permissions granted to the trojan
   • Check Overlay and Device Admin Apps for suspicious access
   • Remove any permission you didn’t knowingly approve
3. Clear Browser Data
   • Open Chrome or your default browser
   • Go to Settings → Privacy → Clear browsing data
   • Wipe history, cookies, and cached files
4. Scan with Mobile Security Software
   • Use a reliable mobile antivirus tool that detects RedHook and similar Android malware
   • Run a full scan and remove flagged threats
5. Factory Reset as Last Resort
   • If the malware persists or resurfaces after reboot, back up important data
   • Go to Settings → System → Reset Options → Erase All Data (Factory Reset)
   • Restore only clean apps and files

Conclusion

RedHook is a stealthy, dangerous Android banking trojan that uses advanced overlay phishing and remote-access capabilities to compromise your data and finances. If you’ve sideloaded apps from unofficial sources—especially those posing as Vietnamese banks or government institutions—act fast. Remove the app, revoke permissions, and clean your device before the malware can do irreversible damage.