RedHook Android Malware Uses Wireless ADB to Steal Banking Information Without Root Access

RedHook Android Malware Uses Wireless ADB to Steal Banking Information Without Root Access

Cybersecurity researchers have warned Android users about an upgraded version of the RedHook malware that can gain extensive control over infected smartphones and steal sensitive banking information without requiring root access. According to cybersecurity firm Group IB, the latest version of RedHook introduces new capabilities by abusing Android’s Wireless Android Debug Bridge feature to obtain shell level access on compromised devices without requiring a computer connection or rooted operating system. Researchers said this approach significantly expands the malware’s ability to control infected phones while bypassing the limitations normally placed on standard Android applications. Once installed, the malware enables attackers to remotely interact with devices and collect confidential information that may include banking credentials, passwords, security verification codes, and other sensitive personal data.

Group IB reported that the updated RedHook malware continues to include the remote access capabilities commonly associated with advanced Android banking trojans while expanding its functionality through 53 different server issued commands. Once attackers establish access to an infected device, they can stream the phone’s display in real time, capture screenshots, record keystrokes, collect text messages, access stored contacts, display fake verification windows, lock or unlock the device, and remotely perform taps, swipes, drags, and other touch gestures. These capabilities allow attackers to monitor user activity and capture authentication information entered during online banking or other sensitive transactions. Researchers explained that the malware typically spreads through social engineering campaigns in which attackers contact potential victims by phone calls, text messages, emails, or social media while pretending to represent trusted organizations, technical support services, government agencies, or financial institutions. Victims are then directed to fraudulent websites designed to resemble Google Play, where they are encouraged to download and install malicious Android application package files from outside the official application marketplace.

After installation, the fake application requests Accessibility permission, falsely claiming that it is necessary for normal operation. According to Group IB, this permission enables RedHook to automate actions across the device by navigating Android settings, enabling Developer Options, activating Wireless Debugging, retrieving pairing codes, and connecting to the phone’s own Android Debug Bridge service. Through this process, the malware gains shell level privileges identified as UID 2000. Although these permissions do not provide full root access, they grant the malware substantially greater control than ordinary Android applications. Researchers said this level of access allows RedHook to modify secure system settings, assign itself additional permissions, install or remove applications, capture touch interactions, and execute actions that would normally require user confirmation. To maintain long term access, the malware also incorporates several persistence mechanisms. It uses WakeLock to prevent the device from sleeping, silently plays audio to increase process priority, launches an almost invisible one pixel by one pixel foreground activity, and operates two malicious services that monitor one another so one automatically restarts the other if it is terminated. The malware also survives device reboots, making removal considerably more difficult for users without dedicated mobile security software.

Researchers emphasized that the primary infection method relies on users installing Android application package files from unfamiliar websites rather than through Google Play. They advised Android users to install software only from trusted sources, avoid downloading application files received through unsolicited messages, phone calls, emails, or social media, and carefully review any request for Accessibility permissions before approving it. While Accessibility services are essential for many legitimate applications that assist users with disabilities, they can also provide malicious software with extensive control over device functions and screen content. Group IB recommended keeping Google Play Protect enabled, avoiding fake application store websites, rejecting unnecessary permission requests, uninstalling suspicious applications, scanning devices with trusted mobile security solutions, and contacting financial institutions immediately if banking credentials are believed to have been exposed. The researchers noted that RedHook demonstrates how attackers continue adapting legitimate Android developer features into tools for sophisticated malware operations targeting mobile banking users and sensitive personal information.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment