RedHook Android Malware Uses Wireless ADB for Shell Access

RedHook Android Malware Abuses Wireless ADB for Persistent Shell Access

HIGH
July 13, 2026
5m read
MalwareMobile Security

Related Entities

Products & Tech

Android Android Debug Bridge (ADB)Google Play Store

Other

RedHook

Full Report

Executive Summary

Security researchers have uncovered a new, more dangerous variant of the RedHook Android banking malware. This updated strain, active in campaigns targeting banking app users in Europe and Latin America, now incorporates a novel technique to gain persistent, elevated access. It abuses the Wireless Android Debug Bridge (ADB) feature, available on Android 11 and later, to grant itself shell access on the infected device. This allows the malware to execute arbitrary commands, steal data, and manipulate other applications without needing a physical USB connection, representing a significant evolution in its capabilities.


Threat Overview

RedHook is a banking trojan designed to steal credentials and financial information from Android users. This new variant enhances its ability to control the device and evade removal.

  • Malware: RedHook
  • Affected Platforms: Android 11 and later.
  • Target Regions: Europe, Latin America.
  • Primary Goal: Steal banking credentials and financial data.
  • Key New Technique: Abusing Wireless ADB for persistent shell access.

Technical Analysis

The attack chain demonstrates a sophisticated abuse of Android's system features:

  1. Initial Access: The victim is lured via a phishing message (smishing) to a fake Google Play Store page, where they are prompted to download and install a malicious APK file.
  2. Permission Abuse: Upon installation, the malware aggressively requests permissions, with a focus on gaining access to Accessibility Services. This is a powerful permission that allows an app to read the screen and perform actions on behalf of the user.
  3. Enabling Wireless ADB: The malware uses its Accessibility Services privileges to programmatically navigate through the device's settings menu to enable Developer Options and then toggle on Wireless debugging.
  4. Self-Pairing: The malware then initiates the pairing process for Wireless ADB and, using its ability to read the screen and tap buttons, approves its own pairing request.
  5. Shell Access: Once paired, the malware has shell-level access to the device over the local network. It can now execute adb shell commands to grant itself additional permissions, interact with other apps, exfiltrate files, and perform other malicious actions.
  6. Persistence: To prevent removal, the malware uses a WakeLock to stay active and employs a "two-service cross-process resurrection mechanism." This involves two internal services that constantly monitor and relaunch each other if one is terminated by the user or the OS.

MITRE ATT&CK Mapping

Impact Assessment

A device infected with this RedHook variant is fully compromised. The attacker has persistent, shell-level access, allowing them to:

  • Steal credentials from any banking or financial app on the device.
  • Intercept one-time passwords sent via SMS.
  • Install additional malware or spyware.
  • Access personal files, photos, and contacts.
  • Make the device part of a mobile botnet.

The persistence mechanism makes the malware extremely difficult for a non-technical user to remove, often requiring a full factory reset of the device.

IOCs — Directly from Articles

No specific APK hashes, C2 domains, or IP addresses were provided in the source articles.

Cyber Observables — Hunting Hints

On a non-enterprise device, detection is difficult. However, the following are indicators of compromise:

Type
other
Value
Developer Options enabled
Description
The unexpected enabling of Developer Options on a user's device is a major red flag.
Context
User observation, Mobile Device Management (MDM) policy check
Type
other
Value
Wireless debugging enabled
Description
The enabling of this feature, especially if the user did not do it themselves, is a strong indicator of compromise.
Context
User observation, MDM policy check
Type
process_name
Value
adbd
Description
The presence of the ADB daemon running and listening on a network port.
Context
Device forensics, network scanning on the local Wi-Fi network
Type
log_source
Value
Android Logcat
Description
Logs may show activity related to Accessibility Services being used to change system settings.
Context
Device forensics

Detection & Response

  • For Individuals: Be extremely wary of any app that requests Accessibility Services permissions. This permission is very powerful and should only be granted to highly trusted apps from reputable developers (e.g., password managers). If you suspect infection, the most reliable solution is to perform a factory reset.
  • For Enterprises (MDM): Use a Mobile Device Management (MDM) solution to enforce policies that prevent users from enabling Developer Options or USB/Wireless debugging. Monitor the fleet for devices that fall out of compliance with this policy.

Mitigation

  • Install from Official Stores: Only install applications from the official Google Play Store. Avoid sideloading APKs from third-party websites or links sent via text message.
  • Scrutinize Permissions: Carefully review the permissions an app requests before and after installation. Be particularly suspicious of requests for Accessibility Services, Device Administrator, or the ability to draw over other apps.
  • Keep Android Updated: Install Android security updates as soon as they become available to protect against the exploitation of known vulnerabilities.
  • Disable Developer Options: Unless you are a developer and actively need it, ensure that Developer Options is disabled on your device.

Timeline of Events

1
July 13, 2026
This article was published

MITRE ATT&CK Mitigations

Prevent users from installing applications from untrusted, third-party sources (sideloading).

Educate users on the dangers of granting powerful permissions like Accessibility Services to unknown applications.

Use MDM policies to disable Developer Options and USB/Wireless debugging across a fleet of corporate devices.

Sources & References

Daily Cybersecurity News – July 12, 2026
Cyber Recaps (cyberrecaps.com) July 12, 2026
New Android malware can drain bank accounts silently
The News International (thenews.com.pk) July 13, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

AndroidMalwareRedHookBanking TrojanMobile SecurityADB

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.