A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim’s phone, steal their banking logins, and capture the one-time codes that protect their accounts.
Zimperium’s zLabs, which found the operation, says it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool documented earlier this year.
RedWing is sold as a complete product, in subscription tiers with referral discounts, guides, and how-to videos, so a buyer needs no malware-writing skill. A Telegram bot builds each buyer a custom app on demand.
Researchers say a substantial number of the resulting droppers and payloads currently evade conventional security tools.
Infection starts with a phishing link that opens a fake app-store page. The kit’s dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or build fully custom pages, complete with fake ratings, reviews, and download counts. The page then coaxes the user into installing the app from outside the official store and approving its permissions.
The app stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards request permissions framed as routine: turn off battery limits, set the app as the default text-message handler, and switch on notifications.
It also asks to turn on Android’s Accessibility service, which malware abuses to read the screen and control the phone.
With those permissions, RedWing has broad control of the phone. Its capabilities include:
Buyers choose their own targets, and the malware splits its targeting into two. The apps it watches through Accessibility are baked into each copy, which points to a fresh app being built to order once a buyer picks targets. The overlay targets, by contrast, can be changed later from the control panel without pushing out a new app.
Zimperium counted 82 targeted institutions across several sectors, with a strong focus on Russian financial firms, though that list can shift at any time. The evidence points to the Russian market: one sample used a fake page for Russia’s RuStore. Experts say the operation appears linked to Russian threat actors but stops short of confirming it.
RedWing fits a wider move in Android crime toward on-device fraud, where attackers operate inside the victim’s own banking session instead of stealing a password to use elsewhere.
Leave a Reply