{"id":17973,"date":"2026-07-12T08:44:48","date_gmt":"2026-07-12T15:44:48","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=17973"},"modified":"2026-07-12T08:44:48","modified_gmt":"2026-07-12T15:44:48","slug":"redhook-android-malware-now-uses-wireless-adb-for-shell-access","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/07\/12\/redhook-android-malware-now-uses-wireless-adb-for-shell-access\/","title":{"rendered":"Redhook Android Malware Now Uses Wireless ADB for Shell Access"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Good to be aware of as you have to grant the malware rights, if you failed to pickup the social phishing scheme to add the malware to your phone in the first place. This setting is in developer settings if enabled on your phone. I just started playing with adb and fastboot again while waiting for Motorola to unlock a phone I just purchased, and it seems Android is trying some sneaky tactics to keep people from using alternative operating systems, where you can <a href=\"https:\/\/calyxos.org\/install\/antirollback-update-pending\/\" target=\"_blank\" rel=\"noreferrer noopener\">trigger an anti-rollback security feature<\/a> when trying to lock the bootloader after install. And next year we should have a Motorola phone with preinstalled Graphene OS which is much more secure than stock Android and available ROMs. Though in the meantime I&#8217;m going to experiment with <a href=\"https:\/\/lineageos.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">LineageOS<\/a> and <a href=\"https:\/\/calyxos.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">CalysOS<\/a>. <a href=\"https:\/\/iode.tech\/iodeos\/\" target=\"_blank\" rel=\"noreferrer noopener\">IodeOS<\/a> and <a href=\"https:\/\/iode.tech\/iodeos\/\" target=\"_blank\" rel=\"noreferrer noopener\">\/e\/OS\/<\/a> might be worth a look as well. Some of these have easier web based installers now (Chrome based browser) which might make the process much easier.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/redhook-android-malware-now-uses-wireless-adb-for-shell-access\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.bleepingcomputer.com\/news\/security\/redhook-android-malware-now-uses-wireless-adb-for-shell-access\/<\/a><\/p>\n\n\n<div class=\"wp-block-ub-divider ub_divider ub-divider-orientation-horizontal\" id=\"ub_divider_22a7895b-f204-460b-be6f-f76e6d86fffb\"><div class=\"ub_divider_wrapper\" style=\"position: relative; margin-bottom: 2px; width: 100%; height: 2px; \" data-divider-alignment=\"center\"><div class=\"ub_divider_line\" style=\"border-top: 2px solid #ccc; margin-top: 2px; \"><\/div><\/div><\/div>\n\n\n<p class=\"wp-block-paragraph\">By Bill Toulas<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/07\/09\/Android.jpg\" alt=\"Android\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A new version of the RedHook Android malware abuses the Android Wireless Debugging (Wireless ADB) mechanism in a novel way to gain shell-level privileges without requiring a computer connection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Researchers at cybersecurity company Group-IB analyzed the new release of the mobile malware and say that it significantly expands its capabilities compared to the previous variant documented in 2025.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At the same time, the malware retains its remote access trojan (RAT) features, allowing it to stream the screen, intercept keystrokes, automate UI interactions, and steal credentials.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Autonomous Wireless ADB abuse<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">ADB (Android Debug Bridge) is Google&#8217;s debugging interface that lets a user control an Android device from a command line.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The system, which runs on an Android device as an ADB daemon, enables executing shell commands from a computer running the ADB client.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Wireless ADB, first introduced in Android 11, provides the same capability wirelessly, without requiring the devices to be linked via a USB cable.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RedHook essentially turns the phone into its own ADB client by tricking the victim into granting it Accessibility permissions, which let it automatically manipulate Settings, enable Developer Options, and activate Wireless Debugging.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After that, the malware retrieves the pairing code displayed on the screen and connects to the phone\u2019s ADB service via the loopback interface (127.0.0.1).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once paired, the malware gains shell (UID 2000) privileges, which are significantly more powerful than those available to normal Android apps, though not root-level.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The entire attack chain does not require the device to be rooted, so it works across all Android devices as long as the user is tricked into approving the Accessibility Service permission request.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Next, the malware deploys a Shizuku-based framework to execute shell commands, grant itself additional permissions, modify protected Android settings, silently install or remove applications, and perform various operations without displaying user dialogs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Shizuku is a legitimate Android utility popular among power users and developers, and does not require a rooted device.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RedHook executes Shizuku code as part of its attack chain, using it as a privileged server (libmx.so) to invoke privileged Android APIs as UID 2000.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/July\/diagram.jpg\" alt=\"Attack chain\"\/><figcaption class=\"wp-element-caption\"><strong>RedHook malware attack chain<\/strong><br><em>Source: Group-IB<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">According to <a href=\"https:\/\/www.group-ib.com\/blog\/redhook-android-rat-upgraded\/\" target=\"_blank\" rel=\"noreferrer noopener\">Group-IB&#8217;s report<\/a>, the current version of the malware supports 53 server-issued commands, which include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Screen streaming and screenshot capturing<\/li>\n\n\n\n<li>Simulate taps, swipes, gestures, dragging, and long clicks<\/li>\n\n\n\n<li>Device locking\/unlocking<\/li>\n\n\n\n<li>Install, launch, and uninstall apps<\/li>\n\n\n\n<li>Collect contacts, SMS, and applications<\/li>\n\n\n\n<li>Create overlays or fake verification dialogs<\/li>\n\n\n\n<li>Activate the camera<\/li>\n\n\n\n<li>Reboot the device<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The malware\u2019s multiple persistence mechanisms are also highlighted in Group-IB\u2019s report.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RedHook uses silent audio playback to increase process priority, WakeLocks to prevent CPU sleep, and two services that restart each other when one is terminated.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Other mechanisms include a five-minute watchdog alarm, automatic restart after device boot, and setting oom_score_adj to -1000 to reduce the likelihood of being killed when available system memory is low.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The latest version of RedHook is distributed through social engineering, via messages and phone calls where attackers impersonate government agencies or financial institutions to direct victims to fake Google Play sites.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Android users are advised to install apps only from Google Play, scrutinize requested permissions at installation, and ensure that Play Protect is active on the device.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Good to be aware of as you have to grant the malware rights, if you failed to pickup the social phishing scheme to add the malware to your phone in the first place. This setting is in developer settings if enabled on your phone. I just started playing with adb and fastboot again while waiting [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-17973","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=17973"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17973\/revisions"}],"predecessor-version":[{"id":17974,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17973\/revisions\/17974"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=17973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=17973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=17973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}