A brand new model of the RedHook Android malware abuses the Android Wi-fi Debugging (Wi-fi ADB) mechanism in a novel option to acquire shell-level privileges with out requiring a pc connection.
Researchers at cybersecurity firm Group-IB analyzed the brand new launch of the cellular malware and say that it considerably expands its capabilities in comparison with the earlier variant documented in 2025.
On the identical time, the malware retains its distant entry trojan (RAT) options, permitting it to stream the display, intercept keystrokes, automate UI interactions, and steal credentials.
Autonomous Wi-fi ADB abuse
ADB (Android Debug Bridge) is Google’s debugging interface that lets a consumer management an Android machine from a command line.
The system, which runs on an Android machine as an ADB daemon, allows executing shell instructions from a pc operating the ADB consumer.
Wi-fi ADB, first launched in Android 11, offers the identical functionality wirelessly, with out requiring the units to be linked by way of a USB cable.
RedHook primarily turns the cellphone into its personal ADB consumer by tricking the sufferer into granting it Accessibility permissions, which let it mechanically manipulate Settings, allow Developer Choices, and activate Wi-fi Debugging.
After that, the malware retrieves the pairing code displayed on the display and connects to the cellphone’s ADB service by way of the loopback interface (127.0.0.1).
As soon as paired, the malware features shell (UID 2000) privileges, that are considerably extra highly effective than these accessible to regular Android apps, although not root-level.
Your complete assault chain doesn’t require the machine to be rooted, so it really works throughout all Android units so long as the consumer is tricked into approving the Accessibility Service permission request.
Subsequent, the malware deploys a Shizuku-based framework to execute shell instructions, grant itself further permissions, modify protected Android settings, silently set up or take away purposes, and carry out numerous operations with out displaying consumer dialogs.
Shizuku is a legit Android utility standard amongst energy customers and builders, and doesn’t require a rooted machine.
RedHook executes Shizuku code as a part of its assault chain, utilizing it as a privileged server (libmx.so) to invoke privileged Android APIs as UID 2000.

Supply: Group-IB
In keeping with Group-IB’s report, the present model of the malware helps 53 server-issued instructions, which embody:
- Display streaming and screenshot capturing
- Simulate faucets, swipes, gestures, dragging, and lengthy clicks
- Machine locking/unlocking
- Set up, launch, and uninstall apps
- Accumulate contacts, SMS, and purposes
- Create overlays or pretend verification dialogs
- Activate the digital camera
- Reboot the machine
The malware’s a number of persistence mechanisms are additionally highlighted in Group-IB’s report.
RedHook makes use of silent audio playback to extend course of precedence, WakeLocks to stop CPU sleep, and two providers that restart one another when one is terminated.
Different mechanisms embody a five-minute watchdog alarm, computerized restart after machine boot, and setting oom_score_adj to -1000 to scale back the chance of being killed when accessible system reminiscence is low.
The newest model of RedHook is distributed by way of social engineering, by way of messages and cellphone calls the place attackers impersonate authorities companies or monetary establishments to direct victims to pretend Google Play websites.
Android customers are suggested to put in apps solely from Google Play, scrutinize requested permissions at set up, and be certain that Play Defend is energetic on the machine.
Safety groups log 54% of profitable assaults and alert on simply 14%. The remainder transfer by way of your surroundings unseen.
The Picus whitepaper reveals how breach and assault simulation exams your SIEM and EDR guidelines so threats cease slipping by detection.


