This Android malware is capable of monitoring your screen, accessing your messages, and remotely controlling your device.
An upgraded version of the RedHook Android malware is spreading, and it can hijack your phone without the need for root access or a USB cable. Researchers at Group-IB uncovered this enhanced variant, marking a notable advancement from the one identified in 2025. The most alarming aspect? It exploits a built-in feature of Android to execute its attack.
How RedHook malware deceives your Android device into relinquishing control
The attack begins with a deceptive text or phone call that poses as your bank or a government entity, directing you to a fraudulent Google Play site to download a malicious app. Once the app is installed, it requests Accessibility permissions that enable it to interact with other apps and system settings on your behalf.
If you grant these permissions, the malware discreetly activates Developer Options and enables Wireless ADB, a feature that permits remote control of your phone over Wi-Fi.
From that point, it links to your phone’s debugging service using an internal address and connects by reading a code from your screen. This grants it shell-level privileges, providing control far beyond that of a standard app, all without needing root access.
The latest version of RedHook utilizes a legitimate developer tool called Shizuku to carry out commands in the background, allowing it to acquire more permissions and make alterations that would typically require user consent.
Why the upgrade enhances RedHook's danger
Once inside, attackers can execute 53 different commands. They are capable of live screen monitoring, taking screenshots, navigating your phone, locking or unlocking it, silently installing or deleting applications, accessing your texts and contacts, turning on your camera, and rebooting your device remotely.
RedHook also employs various techniques to remain persistent, including running dual services that restart each other if one is terminated and modifying its own system priority to prevent shutdown.
To protect yourself, only download apps from the official Google Play Store, be vigilant about any requests for Accessibility permissions, and ensure that Play Protect is enabled.
Other articles
This Android malware is capable of monitoring your screen, accessing your messages, and remotely controlling your device.
A revised variant of the RedHook Android malware utilizes the built-in debugging feature of your phone to remotely control your device, bypassing the need for root access or a USB cable.
