Researchers have discovered new malware for Android that can secretly empty bank accounts by gaining deep access to devices through wireless ADB. This malware is an enhanced version of the RedHook remote access trojan (RAT) identified last year and features multiple anti-detection functions.
Originally targeting victims in Vietnam, the malware has now shown signs of expanding its reach to other parts of Southeast Asia, particularly Indonesia. According to cybersecurity research firm Group-IB, the RedHook trojan infiltrates devices when victims click links sent via text messages, phone calls, emails, or social media.
Attackers often impersonate support agents or employees from trusted organizations to persuade users to install an APK from a fake website mimicking the Google Play Store. After installation, users are tricked into granting Accessibility permissions under the pretense that these are necessary for normal app functionality.
Once these permissions are granted, the malware can enable wireless ADB by navigating to Developer options, gaining full control of the device. This allows attackers to access keystrokes, screen locks, and screen streaming.
The upgraded RedHook uses advanced techniques to make it nearly impossible to remove. It employs a WakeLock to keep the malware running constantly and can keep the screen active by enabling a nearly invisible 1×1 pixel, convincing Android to treat it as a key process that should not be terminated.
Group-IB notes that this version of RedHook utilizes a “two-service cross-process resurrection mechanism,” allowing two functions to revive each other if one is killed, complicating removal efforts.
To protect against such threats, users are advised to download apps only from official sources like the Google Play Store. Caution is advised when downloading APKs, with close attention to permission requests. Evidence suggests that Android may address a security loophole by disabling access to Developer options in future updates, but until then, users should avoid suspicious links in emails, texts, or social media.




