Introduction
Security operations teams must be on high alert for a significant evolution in Android malware tactics. A new version of the RedHook trojan has been observed actively abusing the Android Wireless Debugging (Wireless ADB) feature to establish unauthorized shell-level access. Unlike traditional ADB abuse, this variant does not require a physical computer connection to the device. Instead, it programmatically enables Wireless ADB on compromised endpoints, opening a pathway for threat actors to execute remote commands, exfiltrate data, or move laterally within the wireless environment. Given the privileged nature of ADB access, this technique effectively gives the attacker full control over the device without triggering standard user interaction prompts.
Technical Analysis
Affected Products & Platforms:
- Platform: Android (versions supporting Wireless Debugging, typically Android 11 and later).
- Malware Family: RedHook (Banking Trojan/Remote Access Trojan).
Vulnerability & Exploitation Status: This campaign does not rely on a specific CVE (2025/2026); rather, it is an abuse of a legitimate debugging feature.
- CVSS N/A: Feature Abuse / Privileged Persistence.
- Exploitation Status: Confirmed active exploitation (in-the-wild).
Attack Chain & Technique:
- Initial Infection: The device is typically compromised via a malicious app download (trojanized utility) or phishing SMS (smishing).
- Privilege Escalation: The malware requests or exploits permissions to modify system settings (often abusing
WRITE_SECURE_SETTINGSor accessibility services). - Enabling Wireless ADB: The RedHook payload executes specific shell commands or uses Android APIs to:
- Enable Developer Options.
- Activate "Wireless Debugging."
- Set the ADB daemon to listen on TCP port 5555.
- Remote Access: Once enabled, the device listens for TCP connections. An attacker on the same network (or via port forwarding) can connect to the device's IP address on port 5555 and establish an
adb shell, granting them full execution rights.
Detection & Response
Sigma Rules
The following Sigma rules detect the programmatic enabling of Wireless ADB and the resultant network socket activity.
---
title: RedHook Malware - Wireless ADB Enabled via Settings
id: 8b2a4c1d-6e9f-4c3a-9b1d-5f6e8a9b2c3d
status: experimental
description: Detects attempts to enable Wireless ADB debugging on Android devices via system settings commands, a behavior associated with RedHook malware.
references:
- https://www.bleepingcomputer.com/news/security/redhook-android-malware-now-uses-wireless-adb-for-shell-access/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: android
detection:
selection_settings:
CommandLine|contains:
- 'settings put global adb_enabled 1'
- 'settings put global adb_wifi_enabled 1'
selection_svc:
CommandLine|contains:
- 'svc adb tcp-port 5555'
- 'svc adb enable'
condition: 1 of selection_*
falsepositives:
- Legitimate developer enabling debugging manually (rarely done via script in prod)
level: high
---
title: RedHook Malware - ADB Listening Port Activity
id: 9c3b5d2e-7f0a-5d4b-0c2e-6g7f9a0c3d4e
status: experimental
description: Detects network connections on TCP port 5555, indicative of ADB over WiFi usage, which is rare in non-development environments.
references:
- https://www.bleepingcomputer.com/news/security/redhook-android-malware-now-uses-wireless-adb-for-shell-access/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: android
detection:
selection:
DestinationPort: 5555
condition: selection
falsepositives:
- Legitimate developers using wireless debugging on corporate Wi-Fi
level: medium
KQL (Microsoft Sentinel / Defender)
Hunt for suspicious process execution and network connections associated with ADB on Android endpoints.
// Hunt for Wireless ADB enabling commands
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "settings put global"
and (ProcessCommandLine has "adb_enabled" or ProcessCommandLine has "wifi_enabled")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend HuntPhase = "Persistence/Privilege Escalation";
// Hunt for ADB Network Connections (Port 5555)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 5555 or LocalPort == 5555
| project Timestamp, DeviceName, RemoteIP, RemotePort, LocalPort, InitiatingProcessFileName
| extend HuntPhase = "Command and Control"
Velociraptor VQL
Endpoint forensic artifact to identify if ADB is listening on the non-standard WiFi interface and check for specific RedHook indicators.
-- Hunt for Android devices listening on ADB port 5555
SELECT
Protocol,
LocalAddress,
LocalPort,
State,
PID,
StartTime
FROM netstat()
WHERE LocalPort = 5555
AND Protocol = "tcp"
AND State =~ "LISTEN"
-- Check global settings for ADB enablement
SELECT FullPath, Data
FROM glob(globs=['/data/data/com.android.providers.settings/databases/settings.db'])
-- Note: Querying SQLite directly requires specific VQL artifact, checking process list for RedHook related names instead
-- Supplemental: Suspicious Process Hunting
SELECT Pid, Name, Exe, Cwd, CommandLine
FROM pslist()
WHERE Name =~ "redhook"
OR Name =~ "com.settings.security"
OR CommandLine =~ "5555"
Remediation Script (Bash)
This script is intended for use via Mobile Device Management (MDM) "Run Script" functionality or an ADB shell (if a forensic analyst has regained control). It forcefully disables ADB and resets developer options.
#!/bin/bash
# Security Arsenal - RedHook Remediation Script
# Purpose: Disable Wireless ADB and Developer Options to break RedHook C2
echo "[*] Disabling ADB over TCP..."
service call connectivity 24 i32 0 > /dev/null 2>&1
# Alternate command for newer Android versions
settings put global adb_enabled 0
settings put global adb_wifi_enabled 0
# Force stop the ADB daemon
setprop service.adb.tcp.port 0
stop adbd
start adbd
echo "[*] Disabling Developer Options to prevent re-enabling..."
settings put global development_settings_enabled 0
echo "[*] Verifying ADB status..."
ADB_STATUS=$(settings get global adb_enabled)
if [ "$ADB_STATUS" == "0" ]; then
echo "[+] ADB successfully disabled."
else
echo "[-] Warning: ADB may still be active. Manual review required."
fi
echo "[*] Remediation complete. Recommend immediate device wipe if persistent infection is confirmed."
Remediation
To effectively mitigate the threat posed by the RedHook variant leveraging Wireless ADB, security teams should implement the following measures:
- Immediate Isolation: Identify devices with suspicious network connections on port 5555 and isolate them from the WiFi network immediately.
- Disable Developer Options: Ensure corporate devices strictly prohibit Developer Options. Use your EMM/MDM (e.g., VMware Workspace ONE, Microsoft Intune) to push a configuration policy that disables these settings at the OS level.
- Application Vetting: RedHook often arrives via trojanized applications. audit installed applications for unnecessary permissions (specifically
WRITE_SECURE_SETTINGSor Accessibility Services). - Network Segmentation: Prevent mobile devices from communicating directly with sensitive server segments. Monitor WiFi traffic for anomalies on port 5555.
- Factory Reset: If a device is confirmed to be infected with RedHook, a factory reset is the only guaranteed method to remove all persistence mechanisms. Backup data only after ensuring malicious APKs are not included in the restore.
Official Advisory & Source:
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.