securitylab_nJuly 14, 2026🇷🇺Translated from Russian

RedHook Android Trojan Automatically Enables Wireless ADB Debugging to Hijack Devices Without Root or User Interaction

The RedHook trojan, first described in July 2025, has received an unprecedented update that lets it independently enable wireless ADB debugging on compromised Android smartphones, achieving system-shell privileges without root or any action from the victim.

According to researchers at Group-IB, the infection follows a familiar social-engineering pattern. Attackers contact targets by phone or messenger, posing as bank or government representatives, and persuade them to download an application from a fake website styled to resemble an official app store. The malicious APK files themselves are hosted on legitimate infrastructure—GitHub repositories and Amazon S3 cloud storage—reducing the likelihood of detection by security solutions.

After installation, victims are convinced to grant the app accessibility-service permissions under the pretext of enabling full functionality. This single permission serves as the gateway to everything else. With accessibility access, RedHook automatically opens the device settings, taps the build number seven times to reveal the developer menu, and activates wireless debugging—all hidden behind a full-screen overlay.

The malware then runs its own ADB client, which connects directly to the phone’s local debugging server using the loopback address, eliminating any need for an external computer. The technique is built on code from the popular Shizuku framework that advanced users normally employ to extend app capabilities without root.

Once system-level privileges are obtained, RedHook can silently install or remove applications, alter protected settings, and grant itself additional permissions without triggering confirmation dialogs. To remain active as long as possible, the trojan employs several anti-termination tactics: it simulates an active foreground window, plays silent audio, prevents the CPU from sleeping, and blocks the system from killing its process under low-memory conditions.

Two service processes monitor each other and restart their counterpart if either is stopped. After a device reboot, a dedicated component automatically restores all privileges. Stolen data and live screen recordings are transmitted over encrypted connections to attacker-controlled servers; when system rights are already present, the malware can stream the screen without triggering the standard screen-recording permission prompt.

Observed campaigns remain focused on Southeast Asia, with infections confirmed in Vietnam and later in Indonesia. Experts advise installing applications exclusively from official stores, scrutinizing permission requests—especially accessibility access—and remaining wary of unsolicited contacts claiming to represent banks or government agencies.