Group-IB researchers have documented a dangerous new version of RedHook, an Android remote-access trojan that hands attackers near-total control of an infected phone, and it now does so without needing to root the device or exploit any bug. Instead, it quietly turns Android's own developer and debugging features against the victim.
Who is affected
RedHook spreads through social engineering: fraudsters call or message victims while posing as government bodies or banks, then steer them to fake websites that mimic the Google Play Store and push a malicious app. First documented by Cyble in July 2025, the malware has expanded its focus from Vietnam to users in Indonesia, pointing to a wider Southeast Asian campaign. The installer files are hosted on trusted platforms like Amazon S3 and GitHub to make delivery more reliable.
How the attack works
Once installed, RedHook walks the user through enabling Android's Accessibility service, then uses that access to silently switch on Developer Options and Wireless Debugging in the background, hidden behind a full-screen overlay. Borrowing heavily from the open-source Shizuku framework, it connects to the phone's own debugging service over the local loopback address 127[.]0[.]0[.]1, granting itself shell-level privileges normally reserved for a connected computer. Group-IB says this is the first time it has seen malware abuse Wireless Debugging this way. With those privileges the app can install and remove software, change secure settings and grant itself permissions with no prompts. It supports 53 server commands, can stream the screen in real time, log keystrokes, steal lock-screen credentials, intercept text messages, and even trigger the front camera to capture the victim's face during a fake verification prompt.
Hard to kill
RedHook is built to survive. It keeps itself alive with a one-pixel invisible screen, silent audio playback, and a pair of services that relaunch each other if either is killed, plus a boot-time restart that rebuilds its privileged access within seconds of powering on. This kind of overlay-driven takeover echoes other recent Android threats such as the Rokarolla banking trojan that loots hundreds of apps.
What you should do
Only install apps from official stores, and be extremely wary of any app that asks for Accessibility access or walks you through enabling Developer or debugging options. Banks and government agencies do not ask customers to sideload apps from links. Group-IB urges financial organizations to deploy session monitoring that can spot malware before a user enters credentials. Selected defanged indicators include the command server hxxps://api[.]3n7wj[.]com, the streaming endpoint wss://sktv[.]3n7wj[.]com, and the sample hash 453333bffdd1850ea2e0647f7c805530b578919978a01b1e2be52d6eb2add946.
Read the original Group-IB analysis for the full technical breakdown.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.