Overview
Cybersecurity researchers at Group‑IB have uncovered a new variant of the RedHook Android malware, which now exploits Wireless ADB (Android Debug Bridge) to gain shell‑level privileges without requiring a computer connection. This marks a significant expansion of RedHook’s capabilities compared to its 2025 predecessor, while retaining its core remote access trojan (RAT) features.
How the Attack Works
RedHook cleverly abuses Android’s Wireless Debugging, introduced in Android 11, by tricking victims into granting Accessibility permissions.
Attack chain:
- Accessibility abuse — malware manipulates Settings to enable Developer Options and Wireless Debugging.
- Pairing code retrieval — captures the pairing code displayed on screen.
- Loopback connection — connects to the phone’s ADB service via
127.0.0.1. - Shell privileges — gains UID 2000 privileges, stronger than normal app permissions.
- Shizuku framework abuse — executes privileged Android APIs, installs/uninstalls apps silently, and modifies protected settings.
This entire chain works without root access, making it effective across all Android devices once Accessibility permissions are granted.
Expanded Capabilities
The latest RedHook variant supports 53 server‑issued commands, including:
- Screen streaming and screenshot capture.
- Simulated gestures — taps, swipes, drags, long clicks.
- App management — install, launch, uninstall apps.
- Data theft — collect contacts, SMS, and app data.
- Overlay attacks — fake verification dialogs for credential theft.
- Device control — lock/unlock, reboot, activate camera.
Persistence Mechanisms
RedHook ensures it stays active through multiple techniques:
- Silent audio playback to boost process priority.
- WakeLocks to prevent CPU sleep.
- Mutual service restarts — two services revive each other if terminated.
- Watchdog alarms every five minutes.
- Auto‑restart after boot.
- oom_score_adj set to -1000, reducing likelihood of termination under low memory.
Distribution Tactics
The malware spreads via social engineering:
- Attackers impersonate government agencies or financial institutions.
- Victims are directed to fake Google Play sites hosting the malware.
Defensive Recommendations
Android users should:
- Install apps only from Google Play.
- Scrutinize permissions during installation.
- Enable Play Protect for real‑time scanning.
- Beware of impersonation scams via calls or messages.
Expert in the Cloud Insight
RedHook’s abuse of Wireless ADB and Shizuku demonstrates how attackers weaponize legitimate developer tools for malicious purposes. By bypassing root requirements, RedHook broadens its reach across Android devices, making Accessibility permissions the new frontline of mobile security.
For defenders, the lesson is clear: user awareness, strict permission control, and proactive monitoring are essential to counter this evolving threat.
Leave a Reply