RedHook – Android Malware Evolves

Overview

Cybersecurity researchers at Group‑IB have uncovered a new variant of the RedHook Android malware, which now exploits Wireless ADB (Android Debug Bridge) to gain shell‑level privileges without requiring a computer connection. This marks a significant expansion of RedHook’s capabilities compared to its 2025 predecessor, while retaining its core remote access trojan (RAT) features.

How the Attack Works

RedHook cleverly abuses Android’s Wireless Debugging, introduced in Android 11, by tricking victims into granting Accessibility permissions.

Attack chain:

  1. Accessibility abuse — malware manipulates Settings to enable Developer Options and Wireless Debugging.
  2. Pairing code retrieval — captures the pairing code displayed on screen.
  3. Loopback connection — connects to the phone’s ADB service via 127.0.0.1.
  4. Shell privileges — gains UID 2000 privileges, stronger than normal app permissions.
  5. Shizuku framework abuse — executes privileged Android APIs, installs/uninstalls apps silently, and modifies protected settings.

This entire chain works without root access, making it effective across all Android devices once Accessibility permissions are granted.

Expanded Capabilities

The latest RedHook variant supports 53 server‑issued commands, including:

  • Screen streaming and screenshot capture.
  • Simulated gestures — taps, swipes, drags, long clicks.
  • App management — install, launch, uninstall apps.
  • Data theft — collect contacts, SMS, and app data.
  • Overlay attacks — fake verification dialogs for credential theft.
  • Device control — lock/unlock, reboot, activate camera.

Persistence Mechanisms

RedHook ensures it stays active through multiple techniques:

  • Silent audio playback to boost process priority.
  • WakeLocks to prevent CPU sleep.
  • Mutual service restarts — two services revive each other if terminated.
  • Watchdog alarms every five minutes.
  • Auto‑restart after boot.
  • oom_score_adj set to -1000, reducing likelihood of termination under low memory.

Distribution Tactics

The malware spreads via social engineering:

  • Attackers impersonate government agencies or financial institutions.
  • Victims are directed to fake Google Play sites hosting the malware.

Defensive Recommendations

Android users should:

  • Install apps only from Google Play.
  • Scrutinize permissions during installation.
  • Enable Play Protect for real‑time scanning.
  • Beware of impersonation scams via calls or messages.

Expert in the Cloud Insight

RedHook’s abuse of Wireless ADB and Shizuku demonstrates how attackers weaponize legitimate developer tools for malicious purposes. By bypassing root requirements, RedHook broadens its reach across Android devices, making Accessibility permissions the new frontline of mobile security.

For defenders, the lesson is clear: user awareness, strict permission control, and proactive monitoring are essential to counter this evolving threat.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.