RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access
Key Takeaways The RedHook Android banking trojan has been updated to exploit ADB Wireless Debugging, a legitimate developer tool, to achieve shell-level access on infected devices. This new variant...
Key Takeaways
- The RedHook Android banking trojan has been updated to exploit ADB Wireless Debugging, a legitimate developer tool, to achieve shell-level access on infected devices.
- This new variant leverages code from the open-source Shizuku project to gain elevated permissions without requiring device rooting, allowing silent installation of apps and modification of secure settings.
- The malware is spread through sophisticated social engineering tactics, impersonating government or bank officials to trick users into downloading malicious APKs from fake app stores.
- RedHook now targets users beyond Vietnam, with new campaigns observed in Indonesia, indicating a broader regional expansion.
- The trojan employs robust persistence mechanisms, including mutual service monitoring and active screen/audio processes, making it difficult to remove.
RedHook Android RAT Abuses ADB Wireless Debugging
A sophisticated Android banking trojan, known as RedHook, has re-emerged with enhanced capabilities, now exploiting the Android Debug Bridge (ADB) Wireless Debugging feature to gain extensive control over compromised smartphones. This updated approach allows the malware to achieve shell-level access, sidestepping the need for complex exploits and relying instead on the abuse of a standard developer tool.
Table Of Content
Unlike its predecessors, which primarily focused on basic screen monitoring and keystroke logging, the latest RedHook variant demonstrates a significant advancement in its privilege escalation strategy. By weaponizing ADB Wireless Debugging, the malware can now acquire permissions typically reserved for core system processes, marking a dangerous evolution in its operational capabilities.
First identified by Cyble researchers in July 2025, RedHook’s current iteration exhibits a more calculated method for abusing permissions. It integrates components from Shizuku, a widely used open-source utility that enables Android enthusiasts to obtain elevated permissions on their devices without undergoing the more complex and risky process of rooting. This integration allows RedHook to covertly install applications, modify sensitive system settings, and grant itself critical permissions without alerting the user through pop-up prompts or confirmation requests.
According to a report shared with Cyber Security News (CSN) by Group-IB, their analysis of the re-engineered malware indicates an expansion of its targeting. Initially observed in Vietnam, RedHook campaigns have now been detected impacting users in Indonesia, suggesting a strategic expansion across Southeast Asia.
The distribution of this malicious application primarily relies on social engineering. Threat actors impersonate government officials or bank support personnel, engaging with victims via phone calls and popular messaging platforms like Zalo. During these interactions, users are manipulated into visiting fraudulent websites, meticulously designed to mimic the legitimate Google Play Store, where they are then coerced into downloading a malicious Android Package Kit (APK).
Upon successful installation, the RedHook application guides users through a deceptive onboarding process. This sequence prompts victims to enable Android’s Accessibility Service, falsely presenting it as a necessary step for the application’s proper functioning. This critical permission then becomes the gateway for the malware’s deeper infiltration.
ADB Wireless Debugging Exploitation Details
Android Debug Bridge (ADB) is a versatile command-line tool that facilitates communication between a computer and an Android device, primarily for development and debugging purposes. Wireless Debugging extends this functionality, allowing developers to connect to a device over a network rather than a physical USB cable.
RedHook ingeniously transforms this legitimate developer feature into an attack vector. Utilizing the previously granted Accessibility Service permissions, the malware automates a series of actions on the victim’s device. It navigates to and enables Developer Options, subsequently activating Wireless Debugging. Crucially, it then pairs itself with the device, effectively masquerading as an authorized computer. All these actions occur silently, concealed from the user by a hidden overlay screen.
Once paired, RedHook initiates its own privileged shell process, operating under uid 2000. This user ID is typically associated with trusted system users, granting the malware significantly more latitude and control than a regular application. From this elevated position, RedHook can perform a wide range of malicious activities, including installing or uninstalling applications, altering secure device settings, and capturing raw touch input without any further user interaction or approval.
Analysis of the malware’s code reveals specific routines designed to trigger Wireless Debugging on devices from various manufacturers, including Google, Huawei, Meizu, Oppo, Samsung, Vivo, and Xiaomi. While these brand-specific routines are currently inactive, their presence suggests a strategic intent for future, more targeted campaigns.
Persistence and Command and Control
RedHook is engineered with formidable persistence mechanisms, ensuring its continued operation on compromised devices. It maintains its presence by simulating a nearly invisible one-pixel screen activity, playing silent audio in the background, and leveraging a wake lock to prevent Android’s battery optimization features from terminating it. Furthermore, the malware employs a mutual monitoring system between two of its internal services. If one service is terminated, the other instantly relaunches its partner, creating a resilient loop that significantly complicates complete removal.
For its communication infrastructure, RedHook utilizes WebSocket connections to facilitate real-time screen streaming and command delivery from its operators. Larger volumes of exfiltrated data, such as stolen passwords and private messages, are transmitted to dedicated web addresses. With shell-level privileges, the malware can also stream video content via RTMP, bypassing Android’s standard consent prompts that typically appear when an application attempts to record the device’s display.
This sophisticated abuse of developer tools underscores the evolving threat landscape in mobile security, where legitimate functionalities are increasingly weaponized by threat actors.
What You Should Do
- Exercise extreme caution with unsolicited communications: Be highly suspicious of calls or messages, especially those claiming to be from government agencies or financial institutions, that instruct you to download apps or visit non-official websites.
- Download apps only from official sources: Always use the Google Play Store for Android applications. Avoid downloading APKs from third-party websites, links sent via messages, or unfamiliar sources.
- Scrutinize Accessibility Service requests: The Accessibility Service is a powerful feature. Be very wary of any app that requests this permission, especially if its core function does not clearly require it. Enabling it can give malware extensive control over your device.
- Keep your device and apps updated: Regularly update your Android operating system and all installed applications to ensure you have the latest security patches.
- Implement session monitoring (for financial institutions): Financial organizations should deploy advanced session monitoring tools to detect anomalous user behavior indicative of malware activity before sensitive financial transactions are completed.
- Monitor for brand impersonation (for financial institutions): Utilize digital risk protection services to identify and take down fake websites and phishing pages that mimic your branding, which are often used to distribute malware like RedHook.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.