ctipilot.ch

RedHook

tool · tool:redhook-android-rat single-source

Android RAT first documented by Cyble (July 2025) targeting Vietnamese banking users; Group-IB's July 2026 update documents self-service privilege escalation via Accessibility-driven abuse of ADB Wireless Debugging to obtain shell uid 2000 (Shizuku-derived helper), 53 C2 commands, and expanded targeting into Indonesia (Group-IB, 2026-07-09).

Coverage timeline
1
first 2026-07-09 → last 2026-07-09
Entries
1
1 distinct days
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-09RedHook Android RAT abuses ADB Wireless Debugging to self-grant shell (uid 2000) privileges without an exploit
    active-threatsRedHook shows a no-exploit Android privilege path: Accessibility automation silently enables Wireless Debugging for a shell-uid helper

Where this entity is cited

  • active-threats1

Source distribution

  • group-ib.com1 (100%)

Entries about RedHook (1)

2026-07-09 · view entry permalink →

NOTABLE

RedHook Android RAT abuses ADB Wireless Debugging to self-grant shell (uid 2000) privileges without an exploit

Group-IB documents a significantly upgraded variant of RedHook, an Android RAT first described by Cyble in July 2025 and previously focused on Vietnamese banking users (Group-IB, 2026-07-09). The notable new capability is self-service privilege abuse over ADB Wireless Debugging with no exploit involved. After the victim is socially engineered — via impersonation calls/messages and a fake Play-Store-styled site — into installing the APK and granting Accessibility through a "required setup" walkthrough, the malware uses Accessibility-driven UI automation to silently navigate Settings, enable Developer Options and Wireless Debugging, then embeds its own ADB client to connect to the device's own ADB daemon over the loopback interface (127.0.0.1) — no PC or USB cable needed. It launches a Shizuku-derived privileged helper that runs under shell uid 2000, from which it grants itself runtime permissions, sets WRITE_SECURE_SETTINGS, installs/uninstalls apps and executes shell commands with no user-facing confirmation dialogs. Group-IB states plainly that "there is no exploit here" — this is abuse of a legitimate developer feature, the same primitive tools like Shizuku have long used, weaponised for the first time by malware.

Persistence is layered: a 1×1-pixel foreground activity, silent MediaSession audio, a foreground-service WakeLock, two mutually cross-rebinding services (bindService with BIND_AUTO_CREATE) that resurrect each other, oom_score_adj tuning to -1000, mlock() memory pinning, and a BOOT_COMPLETED receiver that re-establishes Wireless ADB and the helper on every reboot; screen streaming runs over WebSocket with a parallel RTMP stream once shell privileges exist, bypassing the MediaProjection consent dialog. The command set has grown to 53 server-issued commands, APK payloads are hosted on GitHub and AWS S3 for delivery reliability, and OEM-specific UI-automation routines (Google, Huawei, Meizu, Oppo, Samsung, Vivo, Xiaomi) are present but not yet invoked — suggesting planned device-coverage expansion. Mapped for mobile defenders to T1453 Abuse Accessibility Features, T1541 Foreground Persistence, T1512 Video Capture, T1417 Input Capture, and — closest available mapping for the shell-uid grab — T1626 Abuse Elevation Control Mechanism.

This, however, is the first time we have seen it used by a malware to abuse privileges on a victim's device.

There is no exploit here, "merely" turning a debugging interface into a path to shell-level privileges.

Group-IB 2026-07-09
threat09 Jul 12:30Zsingle-sourceOpen finding ↗
Sources: Group-IB