VYPR
researchPublished Jul 9, 2026· 1 source

RedHook Android RAT Evolves to Weaponize ADB Wireless Debugging for Deep System Control

The RedHook Android banking trojan has been updated to abuse ADB Wireless Debugging and the Shizuku tool, granting it shell-level access and silent permission escalation capabilities.

A sophisticated Android banking trojan, known as RedHook, has resurfaced with a significant enhancement: the ability to weaponize ADB Wireless Debugging, a legitimate developer feature, to gain deep, shell-level access on infected devices. This evolution marks a departure from its previous capabilities, which primarily focused on screen monitoring and keystroke theft, indicating a more aggressive and intrusive approach by its operators.

RedHook's new technique leverages the Shizuku tool, an open-source utility that allows users to unlock elevated permissions on Android devices without requiring root access. By integrating Shizuku's functionality, RedHook can now silently install applications, modify critical device settings, and grant itself sensitive permissions without triggering any user interaction or confirmation prompts. This stealthy privilege escalation is a key component of its updated attack chain.

The malware is distributed through social engineering tactics, with attackers impersonating authoritative figures such as government officials or bank support staff. They engage victims via phone calls and messaging applications, directing them to fake websites designed to mimic the Google Play Store. Here, users are deceived into downloading a malicious APK file, which initiates the infection process.

Once installed, the RedHook trojan guides victims through a deceptive onboarding flow that prompts them to enable the Accessibility Service. This permission is framed as a necessary step for the app's proper functioning, masking its true malicious intent. The Accessibility Service then enables RedHook to automate taps and interact with the device's interface, facilitating the activation of Developer Options and Wireless Debugging.

ADB, or Android Debug Bridge, normally allows a computer to control a phone via a command line, with Wireless Debugging extending this capability over a network. RedHook exploits this by enabling Wireless Debugging and pairing itself with a malicious server, effectively posing as an authorized computer. This grants the malware a privileged shell process, identified as uid 2000, which Android treats with significant trust, affording it far greater operational freedom than standard applications.

With this elevated access, RedHook can perform a wide range of malicious actions without user consent, including installing or uninstalling apps, altering secure device settings, and capturing raw touch input. The malware also contains specific code for initiating Wireless Debugging on devices from major manufacturers like Google, Huawei, Samsung, and Xiaomi, though these routines are not yet actively deployed and appear to be reserved for future campaigns.

To ensure persistence, RedHook employs several survival mechanisms. It maintains its presence by using a nearly invisible one-pixel screen activity, playing silent audio, and holding a wake lock to prevent Android's battery saver from terminating it. Furthermore, its internal services monitor each other, ensuring that if one process is killed, the other automatically relaunches it, creating a resilient operational loop. For command and control, it utilizes WebSocket connections for screen streaming and command delivery, while larger data exfiltration is sent to dedicated web addresses. It can also stream video over RTMP, bypassing Android's display recording consent screen.

Researchers recommend that financial institutions implement session monitoring tools and digital risk protection to detect malicious activity and fake websites. End-users are advised to exercise caution with unfamiliar links, download apps only from official stores, and be highly suspicious of any requests for Accessibility Service permissions. RedHook exemplifies how attackers can repurpose legitimate developer tools for malicious ends, highlighting the need for increased scrutiny of features like Accessibility and Wireless Debugging.

Synthesized by Vypr AI