Security researchers have uncovered a new, more dangerous variant of the RedHook Android banking malware. This updated strain, active in campaigns targeting banking app users in Europe and Latin America, now incorporates a novel technique to gain persistent, elevated access. It abuses the Wireless Android Debug Bridge (ADB) feature, available on Android 11 and later, to grant itself shell access on the infected device. This allows the malware to execute arbitrary commands, steal data, and manipulate other applications without needing a physical USB connection, representing a significant evolution in its capabilities.
RedHook is a banking trojan designed to steal credentials and financial information from Android users. This new variant enhances its ability to control the device and evade removal.
The attack chain demonstrates a sophisticated abuse of Android's system features:
Developer Options and then toggle on Wireless debugging.adb shell commands to grant itself additional permissions, interact with other apps, exfiltrate files, and perform other malicious actions.WakeLock to stay active and employs a "two-service cross-process resurrection mechanism." This involves two internal services that constantly monitor and relaunch each other if one is terminated by the user or the OS.T1446 - Network-Based Replication: While not replicating, the abuse of a network service (Wireless ADB) for self-access is conceptually similar.T1417 - Input Capture: Using Accessibility Services to read the screen and capture user data from banking apps.T1424 - Exploitation for Privilege Escalation: Abusing Accessibility Services to enable Developer Options is a form of privilege escalation.T1403 - Command and Scripting Interpreter: Gaining access to the adb shell provides a powerful command interpreter on the device.A device infected with this RedHook variant is fully compromised. The attacker has persistent, shell-level access, allowing them to:
The persistence mechanism makes the malware extremely difficult for a non-technical user to remove, often requiring a full factory reset of the device.
No specific APK hashes, C2 domains, or IP addresses were provided in the source articles.
On a non-enterprise device, detection is difficult. However, the following are indicators of compromise:
Developer Options enabledWireless debugging enabledadbdAndroid LogcatPrevent users from installing applications from untrusted, third-party sources (sideloading).
Educate users on the dangers of granting powerful permissions like Accessibility Services to unknown applications.
Use MDM policies to disable Developer Options and USB/Wireless debugging across a fleet of corporate devices.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.