RedWing Android Malware Offered As Telegram Service To Enable Banking Fraud And Device Takeover

RedWing Android Malware Offered As Telegram Service To Enable Banking Fraud And Device Takeover

Cybersecurity researchers have identified a new Android malware operation named RedWing that is being marketed through Telegram as a ready made service for conducting banking fraud. According to researchers from Zimperium’s zLabs, the malware allows even low skill cybercriminals to compromise Android devices, steal banking credentials, intercept one time passwords, and gain extensive control over infected smartphones. Researchers believe RedWing is a new variant of Oblivion, a malware rental platform that emerged earlier this year and was offered to cybercriminals for a monthly subscription fee. The latest operation is being sold as a complete service with subscription plans, referral discounts, instructional guides, and tutorial videos, eliminating the need for buyers to possess malware development skills.

The malware is distributed through a Telegram bot that automatically generates customized malicious applications for customers on demand. Researchers found that many of the resulting payloads and droppers can currently evade traditional security products. Infections begin with phishing links that redirect users to fraudulent application store pages designed to imitate legitimate platforms such as Google Play, Galaxy Store, and Huawei AppGallery. The malware kit can also create fully customized download pages that display fake ratings, reviews, and download statistics to increase credibility. Victims are then persuaded to install applications from outside official app stores and grant a series of permissions that appear harmless. The malicious application requests permissions gradually, presenting them as normal functions such as disabling battery restrictions, enabling notifications, and setting the application as the default text message handler. It also asks users to activate Android’s Accessibility service, which can then be exploited to read screen contents and remotely control the device.

Once the permissions are granted, RedWing gains broad capabilities over the infected smartphone. The malware can display fake login screens over legitimate banking and cryptocurrency applications to capture usernames and passwords. It can read incoming text messages to steal one time verification codes and use Accessibility features to capture PINs, card numbers, and authentication information displayed on the screen. Researchers also discovered that the malware can secretly activate call forwarding using carrier codes, allowing attackers to intercept fraud verification calls and phone based authentication mechanisms. Additional features include live screen streaming, keylogging, activation of the device’s camera and microphone, access to files, theft of contacts and call logs, location tracking, and the ability to use infected devices in denial of service attacks by directing traffic toward targeted websites. Researchers said the malware’s targeting is highly flexible because operators can customize the applications and modify overlay targets without distributing a new malicious app.

Zimperium identified 82 targeted institutions across different sectors, with a significant focus on Russian financial organizations. Evidence gathered during the investigation suggests links to Russian cybercriminal activity, including the use of fake pages imitating Russia’s RuStore, although researchers stopped short of making a definitive attribution. Security experts noted that RedWing reflects a broader trend in mobile cybercrime in which attackers conduct fraudulent transactions directly from victims’ devices rather than simply stealing credentials for later use. Similar techniques have been observed in other malware families, including Fantasy Hub, Albiriox, and Klopatra, all of which relied on remote control capabilities and deceptive overlays to compromise financial accounts. Researchers stressed that RedWing does not rely on exploiting Android vulnerabilities and instead depends entirely on social engineering, requiring users to install applications from untrusted sources and approve dangerous permissions. As a result, limiting application installations to official stores and carefully reviewing permission requests remain essential steps in reducing exposure to this growing category of mobile banking malware.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment