RedHook Android Malware Turns Phones Into Their Own Debugging Tool
A new build of the RedHook trojan tricks Android users into switching on Wireless Debugging, then quietly promotes itself to a privilege level normal apps can never reach.

Key points
- Researchers at Group-IB have documented a new version of the RedHook Android malware that abuses Wireless Debugging, a built-in developer feature, to gain shell-level access on a phone without any computer being connected.
- The malware needs only one thing from the victim: approval of an Accessibility Service permission prompt, after which it enables Developer Options and pairs with the phone's own debugging service over the loopback address 127.0.0.1.
- RedHook supports 53 remote commands, including screen streaming, keystroke capture, silent app install and uninstall, camera activation, and fake verification overlays.
- The malware is distributed through social engineering calls and messages that impersonate government agencies or banks and push victims to fake Google Play pages.
- The attack works on any Android device, rooted or not, as long as the user approves the initial Accessibility permission.
A new strain of Android malware has found a clever way around the usual limits placed on phone apps. It talks to the phone's own debugging tools, the same ones a developer would use, and gets a level of control that ordinary apps are never given.
The malware is called RedHook. Researchers at the cybersecurity firm Group-IB, who first reported the update after BleepingComputer covered earlier variants, say this version is a significant step up from the one seen in 2025.
It keeps all the tricks of a remote access trojan, a piece of software that lets a criminal operate a device from afar. It streams the screen. It records what you type. It steals login details. And now it hands itself extra powers using a legitimate Android feature.
How does this attack actually work on someone's phone?
It starts with a permission prompt. Victims are directed, usually through a phone call or message impersonating a bank or a government office, to a fake Google Play page. They install the app. The app then asks for Accessibility Service access, a powerful Android permission designed to help users with disabilities operate their device.
Once granted, RedHook uses that access to do what a human finger would do. It opens Settings. It taps into Developer Options. It switches on Wireless Debugging, a feature added in Android 11 that lets a computer send commands to a phone over Wi-Fi instead of a USB cable.
Here is the clever part. Instead of waiting for a computer to connect, RedHook reads the pairing code off the screen and connects the phone to itself, using the loopback address 127.0.0.1, which is a network address every device uses to talk to itself.
The malware now holds a shell session with UID 2000 privileges. That is the same level of access a developer would have with a cable plugged in. It is not full root access, but it is far above what any normal app can do.
What can RedHook do once it has that access?
Quite a lot. Group-IB counted 53 different commands the malware will accept from its operators. It can take screenshots, stream what you are looking at, simulate taps and swipes, lock or unlock the device, install and remove apps silently, harvest contacts and text messages, switch on the camera, and paint fake verification screens on top of real banking apps.
It also fights to stay alive. RedHook plays silent audio to keep its process priority high. It uses WakeLocks to stop the phone sleeping. Two of its services restart each other if one is killed. A watchdog alarm fires every five minutes. It even adjusts a Linux kernel setting called oom_score_adj to -1000, which tells Android not to shut it down when memory runs low.
To run privileged commands, RedHook piggybacks on Shizuku, a legitimate tool popular with power users. It loads Shizuku's code as a helper library (libmx.so) and uses it to call protected Android functions.
What should Android users do?
Install apps only from the official Google Play Store. Read permission requests carefully, especially any request for Accessibility access, which very few apps genuinely need. Keep Google Play Protect switched on. If a caller claiming to be from your bank or a government office tells you to install something from a link, hang up and call the number on the back of your card.



