RedHook Android Malware Exploits Wireless ADB for Shell Access – New Threat

www.news4hackers.com-redhook-android-malware-exploits-wireless-adb-for-shell-access-new-threat-redhook-android-malware-exploits-wireless-adb-for-shell-access-new-threat

A recently identified variant of the RedHook Android malware employs the Android Wireless Debugging (Wireless ADB) functionality to achieve elevated privileges without requiring a physical connection to a computing device.

Overview of RedHook’s Wireless ADB Exploitation

Security researchers from Group-IB analyzed this updated threat and noted significant enhancements over the version documented in 2025. The malware maintains its core remote access trojan (RAT) capabilities while introducing new attack vectors. The malware exploits the Android Debug Bridge (ADB) framework, which traditionally allows command-line control of Android devices through a connected computer. Wireless ADB, introduced in Android 11, enables similar operations over a wireless connection.

Exploiting Wireless ADB

RedHook manipulates the device’s accessibility features to bypass user interaction requirements. By obtaining Accessibility permissions, the malware automates the process of enabling Developer Options and activating Wireless Debugging. Once configured, it captures the pairing code displayed on the screen and establishes a connection to the device’s ADB service via the loopback interface (127.0.0.1). This method grants the malware shell-level access with User ID (UID) 2000, which provides greater control than standard applications but does not achieve full root privileges. The attack chain operates without requiring device rooting, making it applicable to all Android versions as long as the user grants the necessary permissions.

Shizuku Integration and Privileged Commands

To execute commands, RedHook integrates a Shizuku-based framework, a tool commonly used by developers for advanced Android operations. The malware utilizes Shizuku’s capabilities to run privileged commands, modify system settings, install or uninstall applications, and perform actions without user notifications. This integration leverages Shizuku’s ability to access Android APIs without root access, using a component known as libmx.so as a privileged server. The updated variant supports 53 predefined commands, including screen recording, input simulation, device locking, application management, data collection, and hardware activation.

Persistence Mechanisms

Persistence mechanisms include silent audio playback to maintain process priority, WakeLocks to prevent suspension, a watchdog timer for recovery, and system memory management adjustments to avoid termination.

Distribution Methods

Distribution occurs through social engineering tactics, with attackers impersonating official entities to direct victims to fraudulent Google Play sites.

Security Advisories and Recommendations

Security advisories recommend installing applications exclusively from verified sources, reviewing permission requests during installation, and ensuring Google Play Protect is enabled. The malware’s evolution highlights the importance of proactive security measures, as attackers continue to exploit legitimate system features for malicious purposes. Organizations are urged to monitor device configurations and implement strict application control policies to mitigate risks associated with such threats.



About Author

en_USEnglish