A resurfaced Android banking trojan called RedHook has returned with a dangerous new trick, hijacking a legitimate developer feature to quietly seize deep control of infected phones.
Rather than relying on complex exploits, the malware weaponizes ADB Wireless Debugging, a tool built for app developers, to grant itself privileges normally reserved for system-level processes.
This shift marks a notable escalation from earlier versions of the malware, which focused mainly on screen monitoring and keystroke theft.
RedHook was first spotted by researchers at Cyble in July 2025, but its latest form shows a far more calculated approach to privilege abuse.
The malware now integrates code from Shizuku, a well known open source tool that Android hobbyists use to unlock elevated permissions without rooting a device.
By borrowing this technique, RedHook can silently install apps, change secure settings, and grant itself sensitive permissions with no popups or confirmation prompts for the victim.
.webp)
Group-IB said in a report shared with Cyber Security News (CSN) that they examined the retooled malware and found that its targeting has expanded beyond Vietnam to include users in Indonesia, pointing to a broader push across Southeast Asia.
The malicious app is spread through social engineering, with attackers posing as government officials or bank support staff over phone calls and messaging apps like Zalo.
Victims are guided to fake websites styled to resemble the Google Play Store, where they are tricked into downloading a malicious APK.
Once installed, the app pushes users through a fake onboarding flow to enable Accessibility Service, framing it as a routine step needed to use the app properly.
RedHook Android RAT Abuses ADB Wireless Debugging
ADB, short for Android Debug Bridge, normally lets a computer control a phone through a command line, and Wireless Debugging simply extends that link over a network instead of a USB cable.
RedHook flips this developer feature into an attack tool by running automated taps through the Accessibility service, turning on Developer Options, enabling Wireless Debugging, and pairing itself as though it were an authorized computer, all while a hidden overlay screen keeps the victim in the dark.
Once paired, the malware launches its own privileged shell process known as uid 2000, essentially posing as a trusted system user that Android grants far more freedom than an ordinary app.
.webp)
From that position, RedHook can install or remove apps, alter secure device settings, and capture raw touch input without ever needing user approval.
The malware also includes brand specific code for triggering Wireless Debugging on devices from Google, Huawei, Meizu, Oppo, Samsung, Vivo, and Xiaomi, though these routines are not yet active and appear reserved for future campaigns.
Persistence and Command and Control
RedHook backs up its privilege abuse with an unusually resilient survival strategy. It keeps itself alive by spoofing a nearly invisible one pixel screen activity, playing silent audio in the background, and holding a wake lock so Android’s battery saver never shuts it down.
Two of its internal services also watch over each other, instantly relaunching a partner process if it gets killed, creating a loop that is difficult to fully stop.
For communication, the malware relies on WebSocket connections for screen streaming and command delivery, while sending larger volumes of stolen data, such as passwords and messages, to dedicated web addresses.
With shell level privileges active, it can also stream video over RTMP, bypassing the usual consent screen Android shows when an app tries to record the display.
.webp)
Group-IB recommends that financial institutions deploy session monitoring tools to catch malware activity before customers enter sensitive details, and pair this with digital risk protection to spot fake websites copying their branding.
For individual users, the advice is simpler but just as important: avoid clicking unfamiliar links, only install apps from official stores, and treat any request for Accessibility Service permissions with real suspicion.
RedHook shows how easily attackers can turn ordinary developer tools into weapons, and why features like Accessibility and Wireless Debugging deserve closer scrutiny going forward. The defenders need to stay alert as these abuse techniques continue to evolve.
Indicators of compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Hash (SHA-256) | 453333bffdd1850ea2e0647f7c805530b578919978a01b1e2be52d6eb2add946 | Malicious RedHook APK payload |
| URL | hxxps://api.3n7wj[.]com | Command and control API endpoint |
| WebSocket URL | wss://skt.3n7wj[.]com | Command and control WebSocket channel |
| WebSocket URL | wss://sktv.3n7wj[.]com | Screen streaming WebSocket endpoint |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access appeared first on Cyber Security News.

