Skip to main content
LiMP VPN
All news

RedHook Trojan Turns On Android Debugging to Seize Devices

RedHook Trojan Turns On Android Debugging to Seize Devices

In short: In July 2026 researchers described an upgraded version of the RedHook Android trojan that abuses the Accessibility service to turn on "Wireless debugging" by itself and gain shell-level rights on the phone. After that it silently grants itself permissions, installs and removes apps and steals banking data — all without a single prompt. The best defense is to never grant Accessibility to unknown apps and to install APKs only from official stores.

What happened

Analysts published a breakdown of a new build of RedHook — an Android banking trojan first documented back in July 2025. The fresh version got a dangerous upgrade: it no longer needs the user to manually enable developer mode. Using the Accessibility service, the malware taps through the settings on its own, unlocks Developer Options, switches on "Wireless debugging" and pulls the pairing code — and the victim sees nothing behind a full-screen overlay. If you want to understand how spyware and trackers reach a phone in the first place, start with our guide on protecting your phone from surveillance.

The trojan spreads through social engineering: attackers call or message the victim, pose as a bank or support desk, and talk the person into installing a malicious APK from a fake site. First seen targeting users in Southeast Asia, the technique is generic — any Android owner who sideloads a booby-trapped app is at risk.

How RedHook takes over a phone

The core trick is abuse of ADB (Android Debug Bridge) over Wi-Fi. Once "Wireless debugging" is on, the malware connects to the device's own loopback interface with a built-in ADB client and, borrowing code from the open-source Shizuku framework, launches a privileged helper process. That gives it shell-level rights (uid 2000).

From there RedHook can grant itself any runtime permissions, write to protected system settings, run arbitrary shell commands, and install or uninstall apps silently — with no security prompts or confirmation dialogs. To survive, it holds WakeLocks, plays silent audio to keep its priority high, and re-enables wireless debugging after every reboot.

What it means for your data

Shell-level access effectively hands the attacker your phone. RedHook is a banking trojan: it overlays fake login screens on banking apps, intercepts SMS and one-time codes, logs keystrokes and reads on-screen data. That opens the door to your accounts, correspondence and money. Because it grants itself permissions on its own, the usual advice to "just deny suspicious requests" no longer fully protects you. If you suspect your data has already surfaced somewhere, check with our guide on how to check for a personal-data leak.

How can you protect yourself?

Install apps only from official stores. RedHook lives in APKs from fake sites and messenger links. Google Play and vetted vendor stores are far safer; disable installation from unknown sources.

Never grant Accessibility to apps that do not clearly need it. This one permission is what lets the trojan drive your settings. A flashlight, a "bank update" or a "delivery" app has no business asking for it.

Don't act on pressure. A real bank never calls to make you install an APK. Hang up and dial the number on your card yourself.

Keep Android and Google Play Protect updated, and review which apps hold Accessibility and Developer Options access. Our step-by-step guide to setting up a VPN on Android also covers basic device hygiene.

Where does a VPN fit in?

A VPN will not remove a trojan that is already on your phone — that job belongs to careful installs and mobile antivirus. But a VPN closes the network side of the risk: it encrypts your traffic on untrusted Wi-Fi so credentials and codes cannot be intercepted in transit, and hides your real IP from sites and your provider, shrinking the data an attacker can gather about you. See how LiMP VPN handles it and pick a plan on our pricing page. Treat it as one layer of defense, alongside safe installs and app hygiene.

Sources

This report is based on the RedHook analysis published in July 2026 by Group-IB and covered by GBHackers.

RedHook Trojan Turns On Android Debugging to Seize Devices | LiMP VPN