Technology

New Android malware can drain bank accounts silently

Security researchers recommend sticking to official app stores like Google Play rather than sideloading APKs from unfamiliar sites

Published July 13, 2026
New Android malware can drain bank accounts silently
New Android malware can drain bank accounts silently

A newly upgraded strain of Android malware is exploiting a developer feature most users never touch to quietly take full control of infected phones and empty bank accounts.

Cybersecurity firm Group-IB has detailed how the malware, known as RedHook, now abuses wireless ADB to reach a level of access far beyond typical banking trojans.

Advertisement

Links are sent to victims through text messages, phone calls, email messages, or via social networking sites by people impersonating technical support or company employees.

These links direct victims to the imitation site, which mimics the Google Play Store, where the victims are tricked into downloading the malicious APK file.

Afterward, the malicious file will ask victims for their accessibility permissions, citing it as a requirement for the normal function of the app. According to analysis done by Group-IB and BleepingComputer, this request is not just used for normal operation but for a different purpose.

Once the accessibility permission is acquired, the malware accesses developer options and turns on wireless ADB to gain shell access with UID 2000. This gives the malware full control of the phone, where even the keystrokes, lock screens, and the live feed of the screen become accessible to the attacker.

The new iteration of the RedHook is a massive improvement on the original variant of the malware found by Cyble last year. It incorporates multiple techniques to avoid detection, including WakeLock, which keeps the malware alive all the time, and an extremely subtle 1x1 pixel activity that makes Android think it is an essential process that should not be terminated.

Perhaps the most notable addition is what Group-IB calls a two-service cross-process resurrection mechanism. In practice, this means RedHook runs two internal functions that relaunch each other the moment one gets terminated, making the malware extremely difficult to fully shut down through normal means.

How to protect yourself from malware?

Security researchers recommend sticking to official app stores like Google Play rather than sideloading APKs from unfamiliar sites. If installing an APK is unavoidable, scrutinising every permission request matters more than ever, especially accessibility access.

Pareesa Afreen
Pareesa Afreen is a reporter and sub editor specialising in technology coverage, with 3 years of experience. She reports on digital innovation, gadgets, and emerging tech trends while ensuring clarity and accuracy through her editorial role, delivering accessible and engaging stories for a fast-evolving digital audience.