A nastier version of the RedHook Android malware is making the rounds, and it does not need a USB cable or a rooted phone to take over your device. Researchers at Group-IB discovered the upgraded variant, which is a significant step up from the version spotted in 2025. The scariest part? It uses one of Android’s own built-in tools to do it.
How RedHook malware tricks your Android phone into handing over control
It starts with a fake text or phone call pretending to be your bank or a government agency, nudging you toward a counterfeit Google Play site to install a sketchy app. Once installed, the app asks for Accessibility permissions, which allow Android apps to interact with other apps and settings on your behalf.
If you approve that, it quietly switches on Developer Options and enables Wireless ADB, a built-in Android feature that lets someone control your phone remotely over Wi-Fi.
From there, it connects to your phone’s own debugging service through an internal address and pairs with it using a code it reads directly from your screen. This gives it shell-level privileges, meaning it gains a level of control far beyond what a normal app should have, without ever needing root access.
The latest RedHook version also runs a legitimate developer utility called Shizuku to execute commands in the background, granting itself additional permissions and making changes your phone would normally require your input to allow.
Why this upgrade makes RedHook more dangerous
Once inside, attackers have 53 commands at their disposal. They can watch your screen live, take screenshots, tap and swipe around your phone, lock or unlock it, silently install or delete apps, read your texts and contacts, activate your camera, and reboot your phone remotely.

RedHook malware also uses several tricks to stay alive, including running two services that restart each other if one gets shut down and adjusting its own system priority to avoid being terminated.
To stay protected, only install apps from the official Google Play Store, pay close attention to any Accessibility permission requests, and keep Play Protect turned on.
