Hackers are creating counterfeit websites that impersonate government agencies and reputable financial organizations such as the State Bank of Vietnam (SBV), Sacombank (Sacombank Pay), the Central Power Corporation (EVNCPC), and the vehicle registration scheduling system. They embed malware within these applications and deceive users into downloading them onto their phones through various tactics comprising sending emails, messaging via chat applications, or running advertisements on search engines.
The counterfeit applications are disguised with names similar to legitimate applications, differing only in the file extension (for example, SBV.apk), and are hosted on Amazon S3 cloud storage, allowing hackers to easily update, modify, and conceal harmful content. Once installed, the counterfeit application prompts users to grant deep access permissions to the system including Accessibility and Overlay permissions.
By combining these two permissions, a hacker can monitor user actions, read SMS message content, obtain OTP codes, access contacts, and even manipulate the device on behalf of the user without leaving any obvious traces.
Upon reverse-engineering the source code of RedHook, experts from Bkav's malware analysis center discovered that this virus integrates up to 34 remote control commands, including taking screenshots, sending and receiving messages, installing or uninstalling applications, locking and unlocking the device, and executing system commands. It utilizes the MediaProjection API to record all content displayed on the device's screen and transmit it back to the control server.
RedHook employs a JSON Web Token (JWT) authentication mechanism, allowing the attacker to maintain control over the device for an extended period, even after the device has been restarted.
Bkav has conducted an analysis discovering that numerous code segments and interface strings have been using the Chinese language, along with several clear traces regarding the development origins of the hacker group. According to Bkav, the RedHook dissemination campaign is linked to fraudulent activities that have previously occurred in Vietnam.
For instance, the use of the domain mailisa[.]me, a well-known beauty service that was previously exploited, to distribute malware indicates that RedHook is not operating in isolation but is rather a product of a series of organized attack campaigns, meticulously orchestrated in both technical execution and deceptive strategies. The command server domains employed in this campaign include api9.iosgaxx423.xyz and skt9.iosgaxx423.xyz, both of which are anonymous addresses located abroad and are not easily traceable.
Bkav advises users to strictly avoid installing applications from outside the Google Play Store, especially APK files received via messages, email, or social media. Users should not grant Accessibility permissions to applications from unknown sources.
Organizations are urged to implement access monitoring, DNS filtering, and set up alerts for connections to suspicious domains associated with malware command-and-control infrastructure.
If infection is suspected, users should immediately disconnect from the internet, back up important data, perform a factory reset, change all account passwords, and contact their bank to verify account status.
)
