A brand new model of RedHook Android malware exploits the Android Wi-fi Debugging (Wi-fi ADB) mechanism in a brand new approach to achieve shell-level privileges with out requiring a pc connection.
Researchers from cybersecurity agency Group-IB analyzed the brand new launch of the cellular malware and mentioned it has considerably expanded performance in comparison with a earlier variant documented in 2025.
On the similar time, the malware retains the performance of a distant entry Trojan (RAT), permitting it to stream screens, intercept keystrokes, automate UI interactions, and steal credentials.
Exploiting Autonomous Wi-fi ADB
ADB (Android Debug Bridge) is Google’s debugging interface that permits customers to regulate Android units from the command line.
This technique runs as an ADB daemon on Android units and means that you can run shell instructions from any laptop operating an ADB shopper.
Wi-fi ADB, first launched in Android 11, offers the identical performance wirelessly with out the necessity to hyperlink units by way of a USB cable.
RedHook primarily turns the telephone into its personal ADB shopper by tricking the sufferer into granting accessibility permissions to the telephone. This lets you routinely manipulate settings, allow developer choices, and allow wi-fi debugging.
The malware then retrieves the pairing code displayed on the display and connects to the telephone’s ADB service through the loopback interface (127.0.0.1).
As soon as paired, the malware positive aspects shell (UID 2000) privileges. Though not root-level, that is considerably extra highly effective than the permissions accessible to common Android apps.
Your complete assault chain doesn’t require the machine to be rooted, so it’ll work on any Android machine so long as the consumer is tricked into approving the accessibility service’s permission request.
The malware then deploys a Shizuku-based framework to execute shell instructions, grant itself extra privileges, modify protected Android settings, silently set up or take away purposes, and carry out numerous operations with out displaying consumer dialog.
Shizuku is a real Android utility that’s standard amongst energy customers and builders and doesn’t require a rooted machine.
RedHook runs the Shizuku code as a part of the assault chain and makes use of it as a privileged server (libmx.so) to name privileged Android APIs as UID 2000.

Supply: Group-IB
Based on Group-IB’s report, the present model of the malware helps the next 53 instructions issued by the server:
- Stream your display and seize screenshots
- Simulate faucets, swipes, gestures, drags and lengthy clicks
- Lock/Unlock System
- Putting in, launching, and uninstalling apps
- Gather contacts, SMS and purposes
- Create an overlay or pretend validation dialog
- begin digicam
- restart your machine
Group-IB’s report additionally highlights a number of persistence mechanisms for malware.
RedHook makes use of silent audio playback to extend course of precedence, WakeLocks to stop CPU sleeps, and two providers that restart one another when one service terminates.
Different mechanisms embody a 5-minute watchdog alarm, automated restart after machine startup, and setting oom_score_adj to -1000 to scale back the possibility of a crash when accessible system reminiscence is low.
The newest model of RedHook is distributed by way of social engineering, by way of messages and telephone calls the place attackers impersonate authorities or monetary establishments and direct victims to a pretend Google Play website.
We advocate that Android customers solely set up apps from Google Play, assessment requested permissions throughout set up, and guarantee Play Shield is energetic on the machine.
Safety groups doc 54% of profitable assaults and challenge a warning on solely 14%. The remaining strikes invisibly by way of the atmosphere.
Picus’ whitepaper exhibits the right way to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
