Affiliate links on Android Authority may earn us a commission. Learn more.
New malware for Android can empty your bank accounts in secret
Jul 13, 2026 — 8:46 AM ET

- Researchers have discovered a new malware that gains deep access to your phone and obtains high-level permissions via wireless ADB to empty your bank accounts.
- This is an enhanced version of the RedHook remote access trojan spotted last year, but with multiple anti-detection functions.
- Though this malware was originally targeted at victims in Vietnam, it has since shown signs of expanding to other parts of Southeast Asia, including Indonesia.
Wireless ADB (Android Debug Bridge) is one of those tools that makes life a little easier for developers and enthusiasts alike. On the other hand, some of these tools continue to be exploited by malicious actors to facilitate mass financial scams on unsuspecting victims. An extensive report now discloses one such malware.
Cybersecurity research firm Group-IB details how this Android remote access trojan (RAT), known as RedHook, infiltrates devices when victims click links sent via text messages, phone calls, email, or other social media platforms. Attackers may impersonate support agents or employees of trusted and popular organizations to trick users (via Bleeping Computer).
The victims are then convinced to install an APK, typically through a fake website that may look a lot like the Google Play Store, but isn’t.
Once the malicious APK has been installed, users are tricked into granting Accessibility permissions under the guise that it is necessary for the app to function normally. Using these permissions, the malware can stealthily enable wireless ADB by navigating to Developer options, thereby gaining shell access (UID 2000). At this point, the trojan has full control of the device, giving attackers access to your keystrokes, screen locks, and screen streaming.
RedHook was first discovered by researchers at Cyble last year, and this appears to be an upgraded version. It uses more devious techniques to make it virtually impossible to remove from the device, such as using a WakeLock to trick the system into keeping it running at all times. Moreover, this trojan can also keep the screen turned on by enabling a 1×1 pixel that is virtually imperceptible to the user, thereby convincing Android that it’s a key process that shouldn’t be killed.
More crucially, this upgraded version of RedHook uses what Group-IB terms “a two-service cross-process resurrection mechanism.” Simply explained, these are two functions that can resurrect each other when the other is killed, making them difficult to eliminate.
While this malware was initially targeted at individuals in Vietnam, the attackers have since reportedly expanded to Indonesia.
What can you do to stay safe?
As with previous malware attacks, people are recommended to always download apps from official sources such as the Google Play Store. Exercise discretion if you absolutely need to download and install an APK, and always keep a close eye on permission requests.
We’ve recently seen evidence that Android may close a security loophole by disabling access to Developer options as part of Advanced Protection. But until this feature officially arrives on Android, the best way to stay safe is to avoid any suspicious links you find in your emails, text messages, or social media apps.
Thank you for being part of our community. Read our Comment Policy before posting.