Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites
July 9, 2026
GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses
July 9, 2026
RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access
July 9, 2026
Home/Threats/RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access
Threats

RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access

Key Takeaways The RedHook Android banking trojan has been updated to exploit ADB Wireless Debugging, a legitimate developer tool, to achieve shell-level access on infected devices. This new variant...

Jennifer sherman
Jennifer sherman
July 9, 2026 5 Min Read
4 0

Key Takeaways

  • The RedHook Android banking trojan has been updated to exploit ADB Wireless Debugging, a legitimate developer tool, to achieve shell-level access on infected devices.
  • This new variant leverages code from the open-source Shizuku project to gain elevated permissions without requiring device rooting, allowing silent installation of apps and modification of secure settings.
  • The malware is spread through sophisticated social engineering tactics, impersonating government or bank officials to trick users into downloading malicious APKs from fake app stores.
  • RedHook now targets users beyond Vietnam, with new campaigns observed in Indonesia, indicating a broader regional expansion.
  • The trojan employs robust persistence mechanisms, including mutual service monitoring and active screen/audio processes, making it difficult to remove.

RedHook Android RAT Abuses ADB Wireless Debugging

A sophisticated Android banking trojan, known as RedHook, has re-emerged with enhanced capabilities, now exploiting the Android Debug Bridge (ADB) Wireless Debugging feature to gain extensive control over compromised smartphones. This updated approach allows the malware to achieve shell-level access, sidestepping the need for complex exploits and relying instead on the abuse of a standard developer tool.

Table Of Content

  • Key Takeaways
  • RedHook Android RAT Abuses ADB Wireless Debugging
  • ADB Wireless Debugging Exploitation Details
  • Persistence and Command and Control
  • What You Should Do

Unlike its predecessors, which primarily focused on basic screen monitoring and keystroke logging, the latest RedHook variant demonstrates a significant advancement in its privilege escalation strategy. By weaponizing ADB Wireless Debugging, the malware can now acquire permissions typically reserved for core system processes, marking a dangerous evolution in its operational capabilities.

First identified by Cyble researchers in July 2025, RedHook’s current iteration exhibits a more calculated method for abusing permissions. It integrates components from Shizuku, a widely used open-source utility that enables Android enthusiasts to obtain elevated permissions on their devices without undergoing the more complex and risky process of rooting. This integration allows RedHook to covertly install applications, modify sensitive system settings, and grant itself critical permissions without alerting the user through pop-up prompts or confirmation requests.

According to a report shared with Cyber Security News (CSN) by Group-IB, their analysis of the re-engineered malware indicates an expansion of its targeting. Initially observed in Vietnam, RedHook campaigns have now been detected impacting users in Indonesia, suggesting a strategic expansion across Southeast Asia.

The distribution of this malicious application primarily relies on social engineering. Threat actors impersonate government officials or bank support personnel, engaging with victims via phone calls and popular messaging platforms like Zalo. During these interactions, users are manipulated into visiting fraudulent websites, meticulously designed to mimic the legitimate Google Play Store, where they are then coerced into downloading a malicious Android Package Kit (APK).

Upon successful installation, the RedHook application guides users through a deceptive onboarding process. This sequence prompts victims to enable Android’s Accessibility Service, falsely presenting it as a necessary step for the application’s proper functioning. This critical permission then becomes the gateway for the malware’s deeper infiltration.

ADB Wireless Debugging Exploitation Details

Android Debug Bridge (ADB) is a versatile command-line tool that facilitates communication between a computer and an Android device, primarily for development and debugging purposes. Wireless Debugging extends this functionality, allowing developers to connect to a device over a network rather than a physical USB cable.

RedHook ingeniously transforms this legitimate developer feature into an attack vector. Utilizing the previously granted Accessibility Service permissions, the malware automates a series of actions on the victim’s device. It navigates to and enables Developer Options, subsequently activating Wireless Debugging. Crucially, it then pairs itself with the device, effectively masquerading as an authorized computer. All these actions occur silently, concealed from the user by a hidden overlay screen.

Once paired, RedHook initiates its own privileged shell process, operating under uid 2000. This user ID is typically associated with trusted system users, granting the malware significantly more latitude and control than a regular application. From this elevated position, RedHook can perform a wide range of malicious activities, including installing or uninstalling applications, altering secure device settings, and capturing raw touch input without any further user interaction or approval.

Analysis of the malware’s code reveals specific routines designed to trigger Wireless Debugging on devices from various manufacturers, including Google, Huawei, Meizu, Oppo, Samsung, Vivo, and Xiaomi. While these brand-specific routines are currently inactive, their presence suggests a strategic intent for future, more targeted campaigns.

Persistence and Command and Control

RedHook is engineered with formidable persistence mechanisms, ensuring its continued operation on compromised devices. It maintains its presence by simulating a nearly invisible one-pixel screen activity, playing silent audio in the background, and leveraging a wake lock to prevent Android’s battery optimization features from terminating it. Furthermore, the malware employs a mutual monitoring system between two of its internal services. If one service is terminated, the other instantly relaunches its partner, creating a resilient loop that significantly complicates complete removal.

For its communication infrastructure, RedHook utilizes WebSocket connections to facilitate real-time screen streaming and command delivery from its operators. Larger volumes of exfiltrated data, such as stolen passwords and private messages, are transmitted to dedicated web addresses. With shell-level privileges, the malware can also stream video content via RTMP, bypassing Android’s standard consent prompts that typically appear when an application attempts to record the device’s display.

This sophisticated abuse of developer tools underscores the evolving threat landscape in mobile security, where legitimate functionalities are increasingly weaponized by threat actors.

What You Should Do

  • Exercise extreme caution with unsolicited communications: Be highly suspicious of calls or messages, especially those claiming to be from government agencies or financial institutions, that instruct you to download apps or visit non-official websites.
  • Download apps only from official sources: Always use the Google Play Store for Android applications. Avoid downloading APKs from third-party websites, links sent via messages, or unfamiliar sources.
  • Scrutinize Accessibility Service requests: The Accessibility Service is a powerful feature. Be very wary of any app that requests this permission, especially if its core function does not clearly require it. Enabling it can give malware extensive control over your device.
  • Keep your device and apps updated: Regularly update your Android operating system and all installed applications to ensure you have the latest security patches.
  • Implement session monitoring (for financial institutions): Financial organizations should deploy advanced session monitoring tools to detect anomalous user behavior indicative of malware activity before sensitive financial transactions are completed.
  • Monitor for brand impersonation (for financial institutions): Utilize digital risk protection services to identify and take down fake websites and phishing pages that mimic your branding, which are often used to distribute malware like RedHook.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarephishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Microsoft Uses AI Scanning to Discover Vulnerabilities Pre-Exploit

Next Post

GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts
July 9, 2026
Critical Linux Kernel Flaw Allows Root Access via DRM Render Nodes
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us