RedHook Weaponizes Wireless ADB In Android Banking Malware Leap

Android banking malware has evolved from simple credential-stealing applications into sophisticated remote access platforms capable of persistent device control. The latest version of RedHook shows how quickly mobile threat actors continue to innovate.

Rather than relying solely on traditional Android abuse techniques such as Accessibility Services and overlay attacks, the malware now weaponizes a legitimate developer feature, Wireless Android Debug Bridge (ADB), to obtain shell-level access without requiring root privileges or physical access to the victim's device.

RedHook Weaponizes Wireless ADB In Android Banking Malware Leap

This development represents more than another incremental malware update. It illustrates a broader trend in cybercrime: attackers increasingly prefer to abuse trusted operating system functionality rather than exploit software vulnerabilities. This approach reduces complexity, improves reliability, and makes malicious activity significantly more difficult for security products to distinguish from legitimate system behavior.

For organizations that increasingly support bring-your-own-device (BYOD) environments and mobile-first workforces, RedHook offers an important reminder that enterprise security must extend well beyond desktop endpoints.

Researchers first identified RedHook in 2025, targeting users in Vietnam through phishing campaigns impersonating banks and government agencies. Victims received messages directing them to convincing websites hosting malicious Android application packages (APKs). Once installed, the malware requested Accessibility permissions before establishing remote control over the infected device.

Even in its earlier form, RedHook combined multiple capabilities commonly found across modern Android banking malware families, including:

  • Credential harvesting through fake banking interfaces
  • Continuous screen capture
  • SMS interception
  • Key logging
  • Remote command execution via WebSocket communications
  • Financial fraud through remote operator interaction

These capabilities allowed attackers to bypass many traditional banking security controls, including one-time passwords delivered through SMS and multifactor authentication workflows that depended on user interaction.

The newest variant, discovered by Group IB and reported on, significantly expands those capabilities by introducing what researchers describe as the first known malicious abuse of Android's Wireless ADB functionality. Android Debug Bridge has long been an essential development and troubleshooting tool. Developers use ADB to install applications, execute shell commands, inspect devices, and automate testing.

Historically, ADB access required either a USB connection or deliberate user configuration. Newer Android versions introduced Wireless Debugging, allowing devices to establish secure ADB sessions over local Wi-Fi networks.

RedHook turns this legitimate capability into an attack vector. Rather than exploiting an Android vulnerability, the malware abuses Accessibility Services to navigate Android's settings interface automatically. It enables Wireless Debugging, completes the pairing process, and establishes its own trusted ADB session with the device. Once authenticated, the malware executes shell commands under Android's privileged shell account.

The attackers do not exploit software flaws in Android to bypass its security. Instead, they convince the operating system to grant elevated access using features intentionally designed for developers. Because the operating system treats these actions as legitimate administrative operations, many traditional security controls struggle to identify them as malicious.

Shell-Level Access Without Root

Perhaps the most concerning aspect of RedHook's evolution is what shell-level access enables. Traditional Android malware often relies on Accessibility Services to simulate touch events, capture screen content, and automate user interactions. While powerful, these attacks still operate within application-level restrictions.

Wireless ADB dramatically expands those capabilities. Researchers observed RedHook using shell access to silently grant itself additional permissions, install and remove applications, modify secure settings, and perform administrative functions that previously required either user approval or rooted devices.

The malware reportedly incorporates code derived from the legitimate open-source Shizuku project, which developers commonly use to execute privileged Android commands without rooting devices. By adapting this framework, RedHook gains broader control while avoiding many of the instability issues associated with rooting.

This evolution demonstrates how threat actors increasingly leverage open-source software ecosystems to accelerate malware development.

Despite its sophisticated technical capabilities, RedHook still depends on one of cybercrime's oldest techniques: social engineering.
Victims typically receive phone calls or messaging application communications from individuals impersonating government agencies, financial institutions, or customer support representatives. The attackers create urgency by claiming users must install a required application to maintain account access or complete identity verification.

Rather than distributing malware through Google Play, attackers host malicious APKs on trusted cloud infrastructure, including GitHub repositories and Amazon S3. Using reputable hosting providers helps reduce suspicion while improving download success rates.
Once installed, RedHook requests Accessibility permissions before automatically configuring Wireless Debugging and establishing persistent device control.

The infection chain reinforces an important security lesson: advanced malware often succeeds not through technical exploits but by manipulating human behavior.

Although researchers originally documented RedHook targeting Vietnamese users, recent analysis indicates that it has expanded into Indonesia alongside improvements in malware functionality. The phishing templates, language resources, and command-and-control infrastructure suggest that the operators are adapting their campaigns for additional regional markets.

This pattern reflects a broader trend across financially motivated cybercrime groups. Rather than developing entirely new malware families for different regions, operators increasingly maintain modular malware platforms that can be rapidly localized. New phishing templates, translated interfaces, and targeted banking overlays allow campaigns to expand geographically while preserving the underlying malware architecture.

As mobile devices continue to serve as authentication platforms, productivity tools, and gateways into enterprise environments, organizations must treat them as critical endpoints deserving the same continuous monitoring, behavioral analytics, and active defense applied to traditional desktops and servers.

RedHook's abuse of Wireless ADB is unlikely to remain unique for long. Once threat actors demonstrate that a legitimate feature can reliably grant privileged access without exploiting vulnerabilities, others are likely to follow. Security teams that adapt their detection strategies now will be far better positioned to defend against the next generation of mobile threats.

Share:

facebook
X (Twitter)
linkedin
copy link
Karolis Liucveikis

Karolis Liucveikis

Experienced software engineer, passionate about behavioral analysis of malicious apps

Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.

▼ Show Discussion

PCrisk security portal is brought by a company RCS LT.

Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Donate