RedHook Android Malware Uses Wireless ADB to Control Infected Devices

Views: 47 views

384/69 Tuesday, July 14, 2026

Security researchers have disclosed that a new version of the RedHook Android malware uses Wireless Android Debug Bridge (ADB) to access the Android shell on infected devices without requiring a connection to a computer or root privileges. After tricking users into granting Accessibility permissions, this technique allows the malware to obtain shell privileges, or UID 2000, which are higher than those of a typical Android application. This enables the malware to execute commands or modify certain system settings.

Reports indicate that RedHook is distributed through fraudulent messages and phone calls impersonating government agencies or financial institutions. The attackers use websites impersonating Google Play to trick users into downloading and installing malicious applications. Once Accessibility permissions are granted, the malware controls the screen to enable Developer Options and Wireless Debugging, reads the pairing code displayed on the device, and connects to the ADB service through the loopback interface. After pairing is completed, RedHook uses a framework developed from Shizuku to execute commands with shell privileges and expand its ability to access or modify protected system settings, including installing or removing applications without showing a confirmation prompt to the user.

Android users should install applications only from Google Play or trusted sources. They should grant only permissions that are necessary for an application’s functionality, especially Accessibility permissions, and keep Google Play Protect enabled. If Developer Options or Wireless Debugging is found to be enabled, unknown ADB pairings are present, or applications have been installed or removed without user action, users should remove unknown ADB pairings, disable Wireless Debugging, uninstall suspicious applications, and immediately check the device’s security.

Source: https://www.bleepingcomputer.com/news/security/redhook-android-malware-now-uses-wireless-adb-for-shell-access/