Read Next

This new Android malware doesn't just spy on your phone, it hijacks it

RedHook found a sneaky new way in, and your phone isn't immune.

Illustration of the Android robot holding a shield and Play Store icon.
Google's Play Protect keeps scanning every app for exactly this kind of behavior. | Image by Google
Group-IB just published a report on an upgraded version of RedHook, an Android banking trojan that abuses wireless ADB, the same debugging tool that lets Galaxy S26 Ultra and Pixel 10 Pro owners tinker with their phones, to quietly grab shell-level access and drain victims' bank accounts. It first targeted Vietnam and has since spread into Indonesia.

RedHook just leveled up on Android


RedHook isn't new. Cyble first documented it in July 2025 as a fairly ordinary banking trojan that watched your screen and logged your keystrokes. Group-IB's newer analysis, published this month, found an updated version that can quietly turn on wireless ADB itself.

The trick to get in hasn't changed. Someone poses as a bank employee or government worker over a call, text, or message and talks the victim into installing an APK from a site dressed up to look like the Play Store. Once it's on the phone, RedHook asks for Accessibility permissions, then taps through Developer options on its own, flips on wireless debugging, and pairs itself like an authorized computer, which hands it shell-level access no ordinary app gets.





A text claiming to be your bank asks you to install an "urgent security update." What do you do?
7 Votes


Why this matters, and who should actually worry


Mostly people who install apps from outside the Play Store need to worry, since RedHook still needs that first click on a fake site. Stick to Play with Play Protect on, and none of this reaches you.

Group-IB also found the malware fighting hard to stay alive. It plays silent audio, keeps the processor from sleeping, and runs two services that restart each other if either gets killed.

None of this works the same way on an iPhone, since Apple doesn't expose anything like wireless ADB to a downloaded app, though that's not the same as saying iPhones are immune to scams generally.

Google has also been working on a fix of sorts. Its Advanced Protection Mode, which we've covered before, is expected to eventually lock down Developer options for users who turn it on, though it isn't there yet.

How to keep RedHook off your phone


Sticking to official app stores and staying skeptical of unsolicited "urgent" messages from your bank stops RedHook cold.

How to protect yourself from RedHook (and malware like it)


  1. Only install apps from Google Play or another official store.
  2. Never grant Accessibility permissions to an app with no obvious reason to need them.
  3. Treat unexpected calls or texts from your bank as suspicious until you verify them.
  4. Check your Developer options screen occasionally for wireless debugging you didn't turn on.
  5. Keep Google Play Protect turned on as your automatic backstop.

The pattern I keep seeing repeat


What stands out to me isn't the banking trojan part (we've seen plenty of those). It's the jump from watching a screen to actually running one, the same direction Vultur and Brokewell took when they leaned on Accessibility to get further into a device than they should.

The fix tends to be the one Google keeps promising: cut off Accessibility's blank check before malware finds a new use for it. I'd like to see that developer options lockdown ship broadly soon, because for now, avoiding this comes down to noticing the trick in time.

Keep your phone a step ahead of the next one:
Six-month unlimited plan is now 57% off
$90
$210
$120 off (57%)
Mint Mobile is now allowing you to get whichever plan you like for either three, six, or 12 months for just $15/mo. If you go for the six-month unlimited service, for instance, you'll now have to pay just $90 upfront instead of $210.
Buy at Mint Mobile
Recommended For You
COMMENTS (0)