Skip to content

RedHook Android Malware Expands Capabilities with Wireless ADB Shell Access

A novel variant of the RedHook Android malware has been discovered, which leverages the Android Wireless Debugging (Wireless ADB) mechanism to gain shell-level privileges without requiring a computer connection. Researchers at Group-IB analyzed the new release and found that it significantly expands its capabilities compared to the previous version documented in 2025.

The RedHook malware retains its remote access trojan (RAT) features, allowing it to stream the screen, intercept keystrokes, automate UI interactions, and steal credentials. ADB (Android Debug Bridge) is Google’s debugging interface that enables executing shell commands from a computer running the ADB client. Wireless ADB provides the same capability wirelessly, without requiring devices to be linked via a USB cable.

RedHook essentially turns the phone into its own ADB client by tricking the victim into granting it Accessibility permissions. This allows it to automatically manipulate Settings, enable Developer Options, and activate Wireless Debugging. The malware then retrieves the pairing code displayed on the screen and connects to the phone’s ADB service via the loopback interface (127.0.0.1).

Once paired, the malware gains shell (UID 2000) privileges, which are significantly more powerful than those available to normal Android apps, though not root-level. The entire attack chain does not require the device to be rooted, so it works across all Android devices as long as the user is tricked into approving the Accessibility Service permission request.

The malware deploys a Shizuku-based framework to execute shell commands, grant itself additional permissions, modify protected Android settings, silently install or remove applications, and perform various operations without displaying user dialogs. Shizuku is a legitimate Android utility popular among power users and developers, and does not require a rooted device.

RedHook executes Shizuku code as part of its attack chain, using it as a privileged server (libmx.so) to invoke privileged Android APIs as UID 2000. The current version of the malware supports 53 server-issued commands, including screen streaming, screenshot capturing, simulating taps and gestures, creating overlays or fake verification dialogs, and more.

The RedHook malware also employs multiple persistence mechanisms, such as silent audio playback to increase process priority, WakeLocks to prevent CPU sleep, and two services that restart each other when one is terminated. Other mechanisms include a five-minute watchdog alarm, automatic restart after device boot, and setting oom_score_adj to -1000 to reduce the likelihood of being killed when available system memory is low.

The latest version of RedHook is distributed through social engineering, via messages and phone calls where attackers impersonate government agencies or financial institutions to direct victims to fake Google Play sites. Android users are advised to install apps only from Google Play, scrutinize requested permissions at installation, and ensure that Play Protect is active on the device.

**Recommendations:*

* Install apps only from Google Play

* Scrutinize requested permissions at installation

* Ensure that Play Protect is active on the device

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *