
The RedHook Android trojan has significantly evolved, now exploiting Wireless ADB (Android Debug Bridge) to gain shell access with UID 2000 privileges. This allows the malware to execute privileged commands without requiring root access or physical USB connections. Group-IB confirms all classic RAT functionality remains: keystroke logging, automated actions, and data exfiltration.
RedHook's New Capabilities
The latest version introduces a previously unseen attack vector through Wireless ADB, first implemented in Android 11. Key upgrades include:
- Enabling Wireless Debugging via developer settings
- Using loopback interface (127.0.0.1) for connections
- Automatically capturing pairing codes via Accessibility Service
- Integration with Shizuku framework for privileged operations
- Support for 53 remote control commands from C2 servers
- Automatic deployment of additional payload modules
- New OTP interception module via notifications
- Automated CAPTCHA bypass in banking apps
Wireless ADB Exploitation Mechanics
RedHook bypasses security measures on TCP port 5555 through:
- Automated 6-digit pairing code generation
- Circumventing 7-day passwordless connection limits
- Creating hidden ADB sessions in background
- Exploiting PackageManager API vulnerabilities for silent APK installs
- Gesture emulation to confirm ADB connections without user interaction
- APK signature spoofing via PackageInstaller flaws
- Sandbox escape through system process code injection
Multi-Stage Attack Workflow
The trojan executes a sophisticated attack chain:
- Obtains Accessibility permissions via social engineering
- Activates hidden developer options
- Enables Wireless Debugging covertly
- Scrapes pairing codes from device display
- Establishes localhost ADB connection
- Deploys libmx.so module for privilege escalation
- Polls command server every 5 minutes
- Downloads targeted attack modules
- Activates anti-detection mechanisms
Privileges and Capabilities
Upon successful infection, RedHook gains:
| Privilege | Capabilities | Risks |
|---|---|---|
| Shell access (UID 2000) | System command execution, configuration changes | Disabling antivirus, modifying system files |
| Via Shizuku | App installation/removal, protected API access | Stealthy banking trojan deployment |
| 53 commands | Remote server control including data theft | SMS/call log export, 2FA code interception |
Modular Payload System
RedHook can deploy plugins for:
- Stealing data from protected /data/data/ folders
- Injecting code into banking apps
- Intercepting financial service push notifications
- Screen recording at 30fps
- Bypassing biometric authentication
- Recording call audio via microphone
- Exfiltrating cloud storage files (Google Drive, Dropbox)
Persistence Techniques
RedHook employs advanced anti-detection measures:
- Silent audio playback to maintain process priority
- WakeLocks to prevent device sleep
- Dual self-healing services
- Setting oom_score_adj to -1000
- TLS 1.3 encrypted C2 communications
- Dynamic C2 domain rotation
- 2-5 minute delay before post-infection activity
- App icon spoofing
- Falsified battery usage statistics
Version 3.1 Improvements
Key upgrades in RedHook v3.1:
- 4x faster ADB session activation
- Android 14 support (previously capped at 13)
- New browser cookie theft modules
- Google Play Protect bypass via trusted certificate spoofing
- Enhanced C2 traffic obfuscation
- Support for Snapdragon 8 Gen 3 devices
- Kernel exploit framework integration
- Encrypted messenger data extraction
Infection Vectors and Protection
Primary distribution methods:
- Government impersonation phishing messages
- Fake Google Play store sites
- "Security verification" scam calls
- Maliciously modified banking apps
- Fake GitHub updates (NFCShare technique)
- SMS attachments with forged receipts
- Social media fake promotions
Detection and Prevention
RedHook detection methods:
- Monitor unusual port 5555 activity
- Check processes with UID 2000
- Audit unauthorized developer setting changes
- Review Accessibility Service requests
- Scan for Shizuku files in system directories
- Analyze network traffic for suspicious DNS queries
- Inspect logs for abnormal ADB activity
- Verify unusual system app permissions
Protection recommendations:
- Only install apps from official Google Play
- Scrutinize requested permissions
- Disable Wireless Debugging when unused
- Enable Play Protect
- Block port 5555 in corporate firewalls
- Deploy EDR solutions for shell command monitoring
- Regularly review active developer services
- Restrict developer options via MDM policies
Questions & Answers
How does RedHook gain ADB access?
By manipulating developer settings and auto-connecting via loopback after capturing pairing codes. The process completes in under 30 seconds after obtaining Accessibility permissions. The trojan exploits Settings API vulnerabilities to enable debugging without user confirmation.
Which devices are vulnerable to RedHook?
All Android 11+ devices with Accessibility permissions. Xiaomi, Samsung and Realme smartphones are particularly vulnerable due to ADB implementation differences. Custom ROM devices without security updates are also high-risk.
Can RedHook obtain root access?
No, it operates with UID 2000 (shell) privileges - below root but sufficient for most malicious operations. Through Shizuku, it can execute commands with system (UID 1000) privileges. Rare kernel exploits may enable full root access via downloadable modules.
How to detect RedHook infection?
Check for:
- Active developer services
- High-priority background processes
- Unusual ADB activity
- libmx.so in /data/local/tmp
- Suspicious port 5555 connections
- Anomalous Accessibility requests
- Unauthorized security setting changes
Which banking apps are targeted?
RedHook attacks 217 financial/crypto apps including:
- Mobile banks (Sberbank, Tinkoff, Alfa-Bank)
- Crypto wallets (Trust Wallet, MetaMask)
- Payment systems (PayPal, Google Pay)
- Trading apps (Binance, Bybit)
- Government services (Gosuslugi, Russian MVD)
- Tax service apps
- E-wallets (Qiwi, WebMoney)
Which Android versions are vulnerable?
Primarily Android 11+ due to Wireless ADB, but older versions remain vulnerable to other trojan features via standard exploits. Android 14 devices with enhanced security settings offer better protection.
How to secure enterprise devices?
Recommended measures:
- Block USB debugging via MDM policies
- Deploy EMM solutions monitoring ADB activity
- Restrict developer options access
- Update SIEM rules to detect Shizuku
- Sandbox financial applications
- Implement hardware security keys for critical operations
- Enforce MFA for all enterprise services
- Conduct regular security awareness training