Security researchers have uncovered a new Android malware operation called RedWing that is being offered through Telegram as a Malware as a Service platform designed to facilitate banking fraud. According to researchers from Zimperium’s zLabs team, the service enables cybercriminals with little or no technical expertise to deploy malware capable of taking control of victims’ smartphones, stealing banking credentials, intercepting one time passcodes, and carrying out a range of fraudulent activities. Researchers believe RedWing is a new variant of Oblivion, an Android malware rental platform that was previously offered to cybercriminals for approximately $300 per month.
RedWing is marketed as a complete service that includes subscription packages, referral discounts, instructional material, and tutorial videos, allowing buyers to launch attacks without developing their own malware. A Telegram bot automatically generates customized malicious applications for customers on demand. Researchers found that many of the malware droppers and payloads generated through the service currently evade conventional security products. Infections begin with phishing links that direct victims to fake application stores designed to imitate legitimate marketplaces such as Google Play, Galaxy Store, and Huawei AppGallery. The malicious pages contain fabricated ratings, reviews, and download statistics to increase credibility and persuade users to install applications from unofficial sources and grant the requested permissions.
Once installed, the malware carefully stages its permission requests, presenting them as normal application requirements. Victims are asked to disable battery optimization, set the application as the default messaging app, enable notifications, and activate Android’s Accessibility service. By obtaining these permissions, RedWing gains extensive control over the infected device. Researchers said the malware can display fake login screens over legitimate banking and cryptocurrency applications to capture usernames and passwords, read incoming text messages containing one time passcodes, and extract card information, PINs, and authentication codes directly from the device screen using Accessibility features. The malware can also activate call forwarding through hidden carrier codes, allowing attackers to intercept phone based verification calls and security checks performed by banks. Additional capabilities include live screen streaming, keylogging, remote device control, activation of the camera and microphone, theft of files and contacts, location tracking, and even using infected devices to launch denial of service attacks against websites.
Researchers identified 82 targeted institutions across multiple sectors, with a significant focus on Russian financial organizations. Evidence suggests the operation primarily targets the Russian market, including the use of counterfeit pages designed to imitate Russia’s RuStore application marketplace, although researchers stopped short of directly attributing the campaign to specific threat actors. Security experts noted that RedWing reflects a broader trend in mobile banking fraud where attackers increasingly operate directly within a victim’s active banking session instead of relying solely on stolen passwords. The researchers advised users to install applications only from official stores, avoid enabling installations from unknown sources, and be cautious when granting sensitive permissions such as Accessibility access or default messaging privileges. Organizations managing mobile devices are also encouraged to block sideloading and monitor applications requesting elevated permissions. Zimperium has published indicators of compromise to help security teams identify potential infections, warning that because the malware can easily be rebranded and reconfigured, its behavior and techniques provide a more reliable method of detection than application names alone.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.