Updated
Updated · Group-IB · Jul 9
RedHook Abuses Android ADB to Gain Shell Access, Expands to 53 Commands
Updated
Updated · Group-IB · Jul 9

RedHook Abuses Android ADB to Gain Shell Access, Expands to 53 Commands

3 articles · Updated · Group-IB · Jul 9

Summary

  • Group-IB said the latest RedHook Android RAT can autonomously turn on Wireless Debugging and gain shell-level uid 2000 access, a shift beyond standard RAT features such as keylogging and screen streaming.
  • Using Accessibility-driven taps, the malware enables Developer Options, pairs to the device’s own ADB daemon over 127.0.0.1, and borrows Shizuku-based privileges to grant permissions, change secure settings and run shell commands.
  • 53 server-issued commands now support actions including silent app install or removal, SMS and credential theft, fake verification prompts, camera use and screen capture that can bypass MediaProjection consent when shell privileges are active.
  • A multi-layer persistence stack keeps RedHook alive through reboot and idle states, including a 1x1 pixel activity, silent audio, dual-service mutual resurrection, 5-minute checks and an oom_score_adj of -1000.
  • Recent activity shows targeting has widened from Vietnam to Indonesia, with victims lured via spoofed government and financial sites while malicious APKs are hosted on GitHub and AWS S3.

Insights

How does new malware turn a phone's debugging tool into a key for silent, total system access?
Are Android's own accessibility and developer tools becoming its biggest security liability?