A newly analyzed version of the RedHook Android malware has added a novel technique for obtaining shell-level device control by abusing Android’s Wireless Debugging (Wireless ADB) feature, according to researchers at Group-IB. The update significantly expands the malware’s capabilities compared to the variant documented in 2025, while retaining its core remote access trojan functions such as screen streaming, keystroke interception, UI automation, and credential theft.
Turning the phone into its own ADB client
ADB (Android Debug Bridge) is Google’s debugging interface, normally used from a computer to run shell commands on a connected device. Wireless ADB, introduced in Android 11, allows the same functionality without a USB cable. RedHook exploits this by first tricking victims into granting Accessibility Service permissions, which it then uses to silently navigate Settings, enable Developer Options, and activate Wireless Debugging on the device.
Once enabled, the malware retrieves the pairing code shown on screen and connects to the device’s own ADB service through the loopback interface (127.0.0.1). This grants it shell (UID 2000) privileges, which are more powerful than a standard app’s permissions, though short of full root access. Crucially, the entire chain works without rooting the device, meaning it can potentially affect any Android phone as long as the user approves the initial Accessibility permission prompt.
Shizuku-based privilege escalation
After gaining shell access, RedHook deploys a framework based on Shizuku, a legitimate tool popular with Android power users and developers that does not require root. The malware runs Shizuku code as a privileged server component (libmx.so) to invoke privileged Android APIs as UID 2000, allowing it to grant itself further permissions, alter protected settings, and silently install or remove apps without user-facing dialogs.
Expanded command set and persistence
Group-IB found the current version supports 53 server-issued commands, including screen streaming and screenshot capture, simulated taps and gestures, device locking and unlocking, app installation and removal, contact and SMS collection, fake verification overlays, camera activation, and device reboot.
The malware employs multiple persistence mechanisms: silent audio playback to boost process priority, WakeLocks to prevent CPU sleep, paired services that restart one another, a five-minute watchdog alarm, boot-time auto-restart, and adjusting oom_score_adj to -1000 to resist being killed under low memory conditions.
Distribution and defense
RedHook spreads through social engineering, with attackers impersonating government agencies or financial institutions via messages and calls that direct victims to fake Google Play pages. Users are advised to install apps only from official Google Play, carefully review requested permissions during installation, and ensure Play Protect is active.
