RedWing Android Malware Sold on Telegram as a Rental Fraud Kit
A new Android fraud operation tracked as RedWing is being marketed on Telegram as a turnkey malware service, lowering the technical barrier for attackers looking to steal banking credentials and one-t...
A new Android fraud operation tracked as RedWing is being marketed on Telegram as a turnkey malware service, lowering the technical barrier for attackers looking to steal banking credentials and one-time passcodes from mobile devices.
Researchers at Zimperium’s zLabs say the campaign resembles a newer version of Oblivion, a malware rental offering previously advertised for about $300 per month. RedWing is packaged as a subscription-based product with onboarding guides, referral incentives, and video walkthroughs, allowing buyers to generate custom builds through a Telegram bot without needing their own development expertise.
How the infection works
The operation typically begins with a phishing link that leads to a counterfeit app distribution page. According to the researchers, the builder can imitate popular app stores such as Google Play, Samsung’s Galaxy Store, and Huawei’s AppGallery, while also allowing fully customized pages with fabricated ratings, reviews, and download counts.
Once a victim installs the app outside an official store, the malware stages permission requests one by one. It asks for access that appears routine at first glance, including notification privileges, battery optimization exemptions, default SMS handling, and Android Accessibility services. That last permission is especially important, as it can let attackers read what is displayed on the screen and interact with the device on the user’s behalf.
What the malware can do
- Show fake login overlays over real banking and crypto apps to capture passwords
- Intercept incoming text messages and harvest one-time verification codes
- Use Accessibility functions to extract card data, PINs, and other sensitive information
- Enable call forwarding with a hidden carrier code to reroute verification calls
- Stream the screen live, record keystrokes, and let operators control the phone remotely
- Activate the camera and microphone, read files, and collect contacts, logs, and location data
- Group infected devices for denial-of-service traffic against selected websites
Zimperium identified dozens of targeted institutions and said the current focus appears to be on Russian financial organizations, though the target list can be changed from the control panel. The researchers also noted signs pointing to the Russian market, including a fake RuStore page in one sample, but stopped short of confirming attribution.
The campaign reflects a broader shift in Android fraud toward on-device attacks, where criminals operate inside a victim’s legitimate banking session instead of relying on stolen passwords alone. Because RedWing depends on sideloading and user-granted permissions rather than a software exploit, security guidance centers on avoiding apps from outside official stores and limiting risky permission requests.
