RedHook Android RAT Exploits ADB Wireless Debugging for Deep Device Control

A resurfaced Android banking trojan known as RedHook has adopted a novel method to gain extensive control over infected devices by exploiting the Android Debug Bridge (ADB) Wireless Debugging feature. This approach allows the malware to perform actions typically reserved for system-level processes without requiring complex exploits.

Initially identified by researchers in July 2025, RedHook’s latest iteration demonstrates a more sophisticated strategy for privilege escalation. The malware now incorporates code from Shizuku, an open-source tool that enables elevated permissions without rooting the device. By leveraging this technique, RedHook can silently install applications, modify secure settings, and grant itself sensitive permissions without alerting the user.

The malware’s distribution relies heavily on social engineering tactics. Attackers impersonate government officials or bank support staff, contacting potential victims through phone calls and messaging apps like Zalo. They direct users to counterfeit websites designed to mimic the Google Play Store, where victims are deceived into downloading malicious APK files. Once installed, the app guides users through a fake onboarding process, prompting them to enable Accessibility Services under the guise of necessary setup steps.

RedHook’s exploitation of ADB Wireless Debugging is particularly concerning. ADB is a legitimate tool that allows developers to communicate with Android devices via command-line interfaces, and its Wireless Debugging feature extends this capability over a network connection. The malware manipulates this feature by automating interactions through the Accessibility Service, enabling Developer Options, activating Wireless Debugging, and pairing itself as an authorized device—all without the user’s knowledge. A hidden overlay screen conceals these actions, keeping the victim unaware of the ongoing compromise.

Once paired, RedHook initiates a privileged shell process, effectively masquerading as a trusted system user with extensive permissions. This elevated access enables the malware to install or remove applications, alter secure device settings, and capture raw touch input without requiring user approval. Notably, the malware contains code tailored for devices from manufacturers such as Google, Huawei, Meizu, Oppo, Samsung, Vivo, and Xiaomi. Although these routines are currently inactive, they suggest plans for broader targeting in future campaigns.

To maintain persistence, RedHook employs a strategy that involves simulating a nearly invisible one-pixel screen activity, preventing the device from entering sleep mode and ensuring continuous operation. This method underscores the malware’s advanced design aimed at evading detection and removal.

The resurgence of RedHook with these enhanced capabilities highlights the evolving nature of Android malware and the increasing sophistication of cyber threats targeting mobile devices. Users are advised to exercise caution when receiving unsolicited communications, avoid downloading applications from unverified sources, and regularly review device settings for unauthorized changes. Staying informed about such threats and adopting proactive security measures are essential steps in safeguarding personal data and device integrity.