RedWing Android malware sold on Telegram as bank-fraud service

by

A new Android malware operation called RedWing is being rented on Telegram as a bank-fraud service that can take over phones, steal banking logins and capture one-time codes, with researchers finding 82 targeted institutions across several sectors.

KEY FACTS

  • Service model RedWing is sold in subscription tiers with referral discounts, guides and videos.
  • Infection path Victims are lured through phishing links to fake app-store pages and prompted to sideload apps.
  • Capabilities The malware can overlay login screens, read texts, forward calls and stream the screen live.
  • Targeting Zimperium counted 82 institutions, with a strong focus on Russian financial firms.

A technical analysis by Zimperium’s zLabs said the operation appears to be a new variant of Oblivion, a rent-a-malware tool documented earlier this year. The report said a Telegram bot builds a custom app for each buyer, so no malware-writing skill is needed.

The kit can mimic Google Play, the Galaxy Store, AppGallery and custom storefronts, complete with fake ratings, reviews and download counts. It then walks users through staged permission prompts that ask for battery exemptions, default SMS access, notifications and Android Accessibility.

With those permissions, the app can display fake banking overlays, read incoming texts and lift codes, card numbers and PINs from the screen. It can also switch on call forwarding with a hidden carrier code, stream the screen, log keystrokes, access the camera and microphone, and steal files, contacts, call logs and location data.

The report says the targeting is split in two. Accessibility targets are built into each copy, while overlay targets can be changed later from a control panel without pushing a new app. One sample used a fake page for Russia’s RuStore, but the disclosure stops short of confirming the operators’ identity.

Researchers also pointed to similar Russian-market rental kits, including Fantasy Hub, Albiriox and Klopatra. RedWing does not rely on an Android exploit, so the main defense is to avoid sideloading and deny permissions that an app does not clearly need.

WHY IT MATTERS

The campaign shows how Android fraud tools are moving toward on-device theft, where attackers operate inside a victim’s own banking session. That makes install-time caution, permission review and device controls more important than password security alone.