// 2 ZERO-DAY IN THE LAST 24H
The RedHook trojan upgrades its arsenal by abusing Wireless ADB, Shizuku, and Accessibility Service to obtain shell privileges on non-rooted devices.
On July 9, 2026, Group-IB published an analysis of a new version of RedHook, an Android RAT known for a year. The trojan abuses legitimate Android development features — Wireless Debugging, Accessibility Service, and the open-source Shizuku framework — to obtain shell privileges (uid 2000) without requiring a connected computer, zero-day vulnerabilities, or root access. The finding does not reveal a new exploit; it documents a shift in the mobile malware threat model, where developer convenience features become more reliable privilege-escalation vectors than bug chains.
Key Takeaways
  • RedHook uses Accessibility Service to automate enabling Developer Options and Wireless ADB, then self-pairs via loopback 127.0.0.1 as an authorized client of the device itself.
  • It incorporates code from the legitimate Shizuku framework to run a privileged server (libmx.so) with uid 2000 identity, gaining runtime permissions, arbitrary shell commands, and low-level touch-event capture.
  • The campaign has expanded from Vietnam to Indonesia: distribution via social engineering impersonating government agencies and financial institutions, with APKs hosted on AWS S3 and GitHub.
  • The persistence kit includes a 1×1-pixel activity, silent audio, WakeLock, oom_score_adj set to -1000, cross-resurrection between two services, and a watchdog alarm every 5 minutes.

How the Device Becomes Its Own Host

The core mechanism is the abuse of Android Wireless Debugging, introduced in Android 11 to eliminate the USB cable in development. RedHook does not exploit an implementation flaw; it weaponizes the design. According to Group-IB, the malware uses Accessibility Service permissions to automate UI interactions invisible to the user: seven taps on the build number to unlock Developer Options, enabling Wireless Debugbing, and retrieving the pairing code. It then embeds its own ADB client and connects to the device's ADB daemon over the loopback interface 127.0.0.1. The full ADB flow — pairing, authorization, session — remains confined to the device.
"The malware embeds its own ADB client and connects to the device's own daemon over the loopback interface (127.0.0.1), so that the whole ADB flow runs on-device, neither needing a PC nor USB cable" — Group-IB researchers
This architecture bypasses two classic Android security assumptions: that ADB requires a trusted external host, and that manual enabling of Developer Options is a sufficient barrier. The device is simultaneously target and attack host.

From uid 1000 to 2000: Why Shizuku Instead of Root

With the ADB session established, RedHook integrates code from the Shizuku framework — a legitimate tool developers use to run protected system APIs on non-rooted devices. Group-IB documents that the malware launches a "libmx.so" server with uid 2000 (shell) identity, not root (uid 0). At uid 2000, RedHook grants itself runtime permissions, executes arbitrary shell commands, silently installs and removes applications, captures low-level touch events, and obtains WRITE_SECURE_SETTINGS. The current version supports 53 distinct commands from the C2 server. Stopping at uid 2000 rather than pursuing root is functional: it avoids the fragility of exploit chains and the instability typical of modified devices. Shell-level privileges are sufficient for RAT operations (screen streaming via RTMP bypassing MediaProjection, keylogging, data exfiltration via WebSocket and REST API) and generate less detectable friction.

The Persistence Engine: Eleven Overlapping Mechanisms

Group-IB describes a multi-layer persistence system operating on multiple axes simultaneously. The foreground activity is a 1×1-pixel window, invisible to the user but sufficient to prevent termination for inactivity. A silent audio stream via MediaSession keeps the media session open. WakeLock blocks process suspension. The oom_score_adj value is forced to -1000, maximum resistance to Android's low-memory killer. Two services implement cross-resurrection via bindService() with the BIND_AUTO_CREATE flag: the death of one triggers the restart of the other. An alarm every 5 minutes acts as a watchdog. On BOOT_COMPLETED, the malware reactivates the Wireless ADB–Accessibility–Developer Options chain from scratch. It does not rely on a single point of failure.

Targeting and Distribution: The Southeast Asian Financial Perimeter

The first campaign, documented by Cyble in July 2025, was concentrated in Vietnam. Group-IB now detects expansion to Indonesia, with a repertoire of targeted social engineering: calls and messages impersonating government agencies or financial institutions, cloned Google Play Store sites, APKs hosted on legitimate cloud infrastructure (AWS S3, GitHub). The identified C2 domains — skt.3n7wj[.]com, sktv.3n7wj[.]com for WebSocket, api.3n7wj[.]com for REST — are active in the exfiltration chain. The payload SHA-256 hash is 453333bffdd1850ea2e0647f7c805530b578919978a01b1e2be52d6eb2add946, according to CyberSecurityNews. The code contains OEM-specific routines to enable Wireless ADB on Google, Huawei, Meizu, Oppo, Samsung, Vivo, and Xiaomi devices. Group-IB does not document these as actively invoked; they remain future capabilities, not evidence of ongoing campaigns.

What to Do Now

  • Treat every Accessibility Service request with maximum suspicion: it is the prerequisite that enables the entire self-privileging chain, not a harmless feature.
  • Block installation of APKs from sources outside the Google Play Store: the documented distribution chain relies exclusively on socially engineered sideloading.
  • Verify that Developer Options and Wireless Debugging are disabled on corporate and personal devices not used for development: abuse requires both to be active.
  • Monitor WebSocket connections to suspicious domains and unauthorized RTMP sessions: RedHook's screen streaming bypasses the typical MediaProjection user consent.

The Lesson: When Developer Features Become Weapons

RedHook's novelty is not technical in the sense of a discovered vulnerability; it is architectural. The malware demonstrates that the attack perimeter has shifted from security flaws to convenience features. Wireless ADB exists to remove friction for developers; Shizuku to democratize access to system APIs; Accessibility Service for inclusion. Their programmed intersection produces privilege escalation without exploits. For targeted financial institutions, the implication is digital risk protection: clone sites and impersonation campaigns require early brand-abuse detection. For the mobile security sector, the question is whether the threat model for non-rooted devices should still assume that "no PC connected" equals "no ADB vector." For Google and OEMs, the presence of brand-specific routines for seven vendors in the malware code suggests threat actors study development-interface fragmentation as a scalable vector.

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. bleepingcomputer.com
  2. cybersecuritynews.com
  3. cryptika.com
  4. group-ib.com
  5. gbhackers.com
  6. cyberpress.org
  7. deals.bleepingcomputer.com