New Phone Malware Can Empty Your Bank Account Without Root Access

Android users have been warned about a newly upgraded malware strain that can quietly take deep control of infected phones and steal sensitive banking information.

Cybersecurity firm Group-IB said the malware, known as RedHook, has returned with more advanced capabilities. The latest version abuses Android’s Wireless ADB feature to gain shell-level access on infected devices without needing the phone to be rooted or connected to a computer.

What RedHook Can Do

The upgraded RedHook malware keeps several common remote-access trojan features.

It can stream the screen, capture screenshots, record keystrokes, collect SMS messages, access contacts, create fake verification windows, lock or unlock the device, and simulate taps, swipes, drags, and other gestures.

Group-IB said the current version supports 53 server-issued commands, giving attackers broad remote-control capabilities once a phone is infected.

These abilities can be used to steal banking credentials, security codes, passwords, and other sensitive information entered on the device.

How the Malware Spreads

Attackers usually contact victims through phone calls, messages, emails, or social platforms while pretending to be from trusted organisations, technical support teams, government bodies, or financial institutions.

Victims are then directed to fake websites that imitate the Google Play Store. These pages trick users into downloading and installing a malicious APK file outside the official app store.

Once installed, the fake app asks for Accessibility permission, claiming that it needs this access to function properly.

Why Accessibility Permission is Dangerous

Group-IB said RedHook uses Accessibility access to automate actions on the phone.

After permission is granted, the malware can navigate Android settings, enable Developer Options, turn on Wireless Debugging, retrieve the pairing code, and connect to the phone’s own ADB service. This gives it shell-level privileges known as UID 2000.

This is not the same as full root access, but it still gives the malware far more control than a normal Android app.

With this access, RedHook can modify secure settings, grant itself additional permissions, install or remove apps, capture touch events, and carry out actions without normal user confirmation prompts.

Hard to Shut Down

RedHook also uses several persistence techniques to stay active.

It can keep the phone awake with WakeLock, use silent audio playback to increase process priority, and launch a nearly invisible 1×1 pixel activity so Android treats it like a foreground process.

Group-IB also found a two-service recovery system. If one malicious service is stopped, the other relaunches it. The malware also checks every few minutes to ensure both services remain active.

The malware can also restart after the phone reboots, making it difficult for normal users to remove without proper security tools.

Not a Google Play Store App

The main infection risk comes from sideloading APKs from unfamiliar websites.

Security researchers advise users to install apps only from trusted sources such as Google Play and to avoid downloading APK files from links sent through messages, calls, emails, or social media.

Users should also be especially careful when any app asks for Accessibility permission. This permission can be useful for legitimate accessibility tools, but it can also allow malicious apps to read the screen and perform actions on behalf of the user.

How to Stay Safe

Android users should keep Google Play Protect enabled, avoid fake app-store pages, and reject suspicious permission requests.

If a recently installed app asks for Accessibility access without a clear reason, users should treat it as a red flag. They should also uninstall suspicious apps, scan the phone with a trusted mobile security tool, and contact their bank if they suspect their financial details were exposed.

RedHook shows how attackers are turning legitimate Android developer features into powerful malware tools. For most users, the safest step is simple: do not install APKs from unknown links or unofficial websites.

Stay Connected with ProPakistani

Get the latest tech news, telecom insights, and product launches wherever you prefer.

Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.



Get Alerts

ProPakistani Community

Join the groups below to get latest news and updates.



>