RedHook Android malware abuses Wireless ADB for shell access
Malware Activity
Summary
Hide ▲
Show ▼
The RedHook Android malware now abuses Wireless ADB to obtain shell (UID 2000) privileges, expanding its control over infected devices. The change lets the malware operate without a computer connection and increases the risk of screen streaming, keystroke interception, and credential theft. It first abuses Accessibility permissions to enable Developer Options and Wireless Debugging, then pairs over 127.0.0.1 to reach the ADB service. The latest release also adds 53 server-issued commands and multiple persistence mechanisms to keep running.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
INFINITERED REDCap backdoor and credential harvester
Malware Activity
H score26
First: 15.06.2026 22:44
Last: 15.06.2026 22:44
Sources 1
About this happening:
The **INFINITERED** malware was deployed on **REDCap** servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojan...
INFINITERED REDCap backdoor and credential harvester
Malware ActivityAbout this happening: The **INFINITERED** malware was deployed on **REDCap** servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojan...
BTMOB Android RAT no-code builder malware activity
Malware Activity
H score28
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware Activity
H score26
First: 12.05.2026 15:50
Last: 12.05.2026 15:50
Sources 1
About this happening:
A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware ActivityAbout this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
H score29
First: 11.05.2026 12:03
Last: 11.05.2026 12:03
Sources 1
About this happening:
The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware ActivityAbout this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
Timeline
-
12.07.2026 17:27 2 articles · 1d ago
Group-IB identifies RedHook Android malware using Wireless ADB for shell access
Initial DisclosureGroup-IB analyzed a new RedHook Android malware variant that abuses Wireless ADB to gain shell (UID 2000) privileges without a computer connection. The malware tricks victims into granting Accessibility permissions so it can enable Developer Options, activate Wireless Debugging, pair over 127.0.0.1, and then use a Shizuku-based framework to execute privileged Android APIs, retain RAT functions such as screen streaming, keystroke interception, UI automation, and credential theft, and persist through multiple restart and sleep-avoidance mechanisms. The latest version is also distributed through social engineering that impersonates government agencies or financial institutions and directs victims to fake Google Play sites.
Show sources
- RedHook Android malware now uses Wireless ADB for shell access — www.bleepingcomputer.com — 12.07.2026 17:27
- RedHook Android malware now uses Wireless ADB for shell access — www.bleepingcomputer.com — 12.07.2026 17:27