alert http any any -> any any (msg:"BANKER [PTsecurity] RedHook Keyboard Input Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/addKeyboardInput"; endswith; fast_pattern; http.header; content:"clientId|3a 20|"; pcre:"/^[0-9a-f]{32}\x0d\x0a/RH"; content:"Accept|3a| */*"; content:"Content-Type|3a| application/json"; content:"User-Agent|3a| okhttp/"; content:!"Referer|3a|"; http.request_body; content:"{|22|deviceId|22 3a 22|"; startswith; content:"|22|content|22 3a 22|"; distance:0; content:"|22|appPackageName|22 3a 22|"; distance:0; content:"|22|}"; endswith; threshold:type limit, track by_src, seconds 120, count 1; reference:url, tria.ge/250811-yb6lwatsds/behavioral1; reference:url, cyble.com/blog/redhook-new-android-banking-targeting-in-vietnam/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10014433; rev:1;)