A new RedHook variant abuses Android Wireless Debugging to gain shell-level privileges without requiring a computer connection by tricking victims into granting Accessibility permissions. The malware automatically enables Developer Options and Wireless Debugging, retrieves the pairing code from the screen, and connects to the phone's ADB service via the loopback interface. This grants UID 2000 shell privileges significantly more powerful than standard Android apps, without requiring root access.
RedHook deploys a Shizuku-based framework to execute shell commands, grant itself additional permissions, modify protected settings, and silently install or remove applications. The malware supports 53 server-issued commands including screen streaming, gesture simulation, app management, contact and SMS collection, overlay creation, camera activation, and device reboot. Persistence mechanisms include silent audio playback to increase process priority, WakeLocks, mutual restarting services, a five-minute watchdog alarm, and an oom_score_adj setting of -1000 to avoid being killed under low memory conditions.
Distribution occurs through social engineering where attackers impersonate government agencies or financial institutions via messages and calls, directing victims to fake Google Play sites. The malware retains remote access trojan features for screen streaming, keystroke interception, UI automation, and credential theft. Android users should install apps only from Google Play, scrutinize requested permissions, and ensure Play Protect remains active. The latest version significantly expands capabilities compared to the previous variant documented in 2025.
Read more...
