New RedHook Version Gains Deeper Control of Android Devices
Android users are being warned about an upgraded mobile malware threat capable of taking extensive control of infected devices and stealing sensitive financial information.
Cybersecurity researchers have identified a more advanced version of RedHook, an Android banking trojan and remote-access tool. The malware can monitor a victimโs screen, record keystrokes, collect private information and remotely operate infected phones.
The latest version is more dangerous because it abuses Androidโs Wireless Debugging feature to obtain shell-level access. This provides greater control than an ordinary application normally receives, although it does not give the malware full root access.
RedHook was initially documented in 2025 after researchers discovered campaigns targeting users in Vietnam. Recent activity indicates that the operators have expanded their focus to Indonesia, suggesting a wider campaign across Southeast Asia. Researchers have not confirmed that the latest campaign is targeting Android users worldwide.
However, the techniques used by RedHook could place Android users in other regions at risk if similar malicious applications and phishing websites are distributed more widely.
Attackers Use Fake Messages, Calls and Download Pages
The RedHook infection usually begins with social engineering. Attackers contact potential victims through phone calls or messaging applications while pretending to represent a bank, financial institution, government department or customer support service.
Victims may be told that they must verify an account, complete an official procedure, update a banking application or resolve an urgent security problem. The attackers then direct them to a fraudulent website carrying familiar branding.
These websites are designed to resemble trusted financial platforms or the Google Play Store. However, instead of providing a legitimate application, the website asks the victim to download an Android application package, commonly known as an APK file.
Researchers found that some RedHook files were hosted on widely used services, including GitHub repositories and Amazon cloud storage. Using recognised platforms can make the download links appear more trustworthy to victims.
The malware does not normally infect a phone simply because a message is received. The victim must usually follow the link, download the malicious file, install the application and approve powerful permissions.
This means the attackers rely heavily on urgency, fear and convincing impersonation. They may claim that immediate action is required to prevent an account suspension, financial loss or service interruption.
Accessibility Permission Opens the Door to Device Control
After installation, the fake application asks the victim to activate Android Accessibility Services. This feature is designed to help people interact with their devices, but it can provide extensive control when granted to an untrusted application.
Once Accessibility access is approved, RedHook can automatically navigate through the phoneโs settings. It can enable Developer Options and activate Wireless Debugging without requiring the victim to complete each step manually.
Wireless Debugging is part of the Android Debug Bridge system. It was created for developers who need to test, manage or troubleshoot Android devices without using a physical cable.
RedHook turns the infected phone into its own debugging client. It retrieves the pairing code displayed by Android and connects to the deviceโs local debugging service.
This process allows the malware to gain shell-level privileges. Those privileges can be used to change protected settings, execute commands and perform actions that are unavailable to ordinary Android applications.
Researchers said the attack does not require a rooted phone. However, it still depends on the victim approving the Accessibility Services request.
RedHook also uses components from Shizuku, a legitimate Android utility commonly used by developers and advanced users. The malware abuses this technology to access protected Android functions and strengthen its control over the infected phone.
Malware Can Watch Screens and Steal Banking Credentials
Once the attack is successful, RedHook can perform many actions remotely. Researchers said the latest version supports 53 commands issued by its operators.
The malware can stream the victimโs screen and capture screenshots. This could expose banking applications, account balances, private conversations, verification messages and other sensitive information.
RedHook can also record keystrokes. This allows it to capture usernames, passwords, card details and other information entered on the phone.
Attackers may remotely simulate taps, swipes, gestures and long presses. These capabilities allow them to navigate applications and interact with the device as though they were physically holding it.
The malware can lock or unlock the phone, launch applications, install or remove software and collect information about contacts, text messages and installed applications.
It may also display fraudulent verification windows or place fake screens over legitimate applications. Such screens can deceive victims into entering banking credentials or personal information directly into forms controlled by the attackers.
Researchers also found that RedHook can activate the phoneโs camera and reboot the device. These capabilities give criminals powerful surveillance and control options.
The earlier RedHook campaign was already capable of collecting banking information, identity documents, passwords and verification codes. It also used remote-access features to control compromised phones and collect text messages.
With access to banking credentials, verification messages and the victimโs phone, attackers may be able to enter financial accounts or approve fraudulent activity. The exact loss would depend on the bankโs security controls and the level of access obtained by the criminals.
RedHook Uses Several Methods to Remain Active
Another major concern is the malwareโs ability to remain active after infection.
Researchers said RedHook uses several persistence techniques to prevent Android from shutting it down. It can play silent audio to increase its process priority and use wake locks to keep the phoneโs processor active.
The malware also runs services that can restart each other. If one service is stopped, another may attempt to activate it again.
RedHook can set alarms that check its status every five minutes. It can also restart after the phone is switched on.
These methods make the malware harder to remove and allow it to continue operating in the background. A victim may therefore remain exposed even after closing the fake application or restarting the phone.
Unexpected changes to Developer Options or Wireless Debugging settings could be a warning sign. Other possible indicators may include unknown applications, unusual permission requests, unexplained battery use or suspicious activity involving banking and messaging accounts.
However, the absence of obvious signs does not prove that a device is secure. Advanced malware is designed to operate quietly and avoid attracting attention.
How Android Users Can Protect Their Phones
Android users should avoid installing applications from links received through unexpected messages, calls or social media conversations. Banking, government and telecommunications applications should be downloaded through official stores or verified company websites.
Users should also examine permission requests carefully. A basic banking, shopping, delivery or verification application should not normally require complete Accessibility control without a clear and legitimate reason.
Google recommends keeping Play Protect enabled. The service scans applications during installation and regularly checks devices for potentially harmful software. It may warn users, disable dangerous applications or remove them when malicious behaviour is detected.
Users can review application permissions through Android settings. Access to the camera, contacts, files, text messages and other sensitive functions should be removed from applications that do not require it.
Developer Options and Wireless Debugging should remain disabled unless they are actively needed for legitimate development or troubleshooting.
Phone owners should also keep Android and installed applications updated. Security updates can fix weaknesses and improve protection against newly identified threats.
What to Do if RedHook Infection Is Suspected
Anyone who believes a suspicious application has been installed should stop using the affected phone for banking, shopping or password changes until the device has been checked.
A security scan should be performed, and suspicious applications should be removed. Google Play Protect can be opened through the Play Store to check the phone for potentially harmful applications.
Passwords for banking, email and other important services should be changed from a separate, trusted device. Two-factor authentication should also be enabled where available. The US Federal Trade Commission recommends stopping sensitive logins on an infected device, running a security scan and changing passwords after possible malware exposure.
Banking customers should examine their accounts for unauthorised payments, transfers or changes. Any suspicious activity should be reported to the bank immediately.
Because RedHook has advanced persistence features, deleting the visible application may not always be enough. Users should seek help from their phone manufacturer, mobile security provider or a trusted technical professional if suspicious behaviour continues.
The RedHook campaign shows how criminals are combining phishing, accessibility abuse and legitimate development tools to create more powerful Android attacks. Users should treat unexpected download requests and unusual permission prompts as serious warning signs.
