Skip to main content
Emerging ThreatsMalware & Ransomware

RedWing Malware Targets Android Users with Bank Fraud as a Service

Dimly lit storefront at night with scattered neon signs and a blank smartphone screen on a cluttered counter.

"It looks like a new variant of Oblivion," Zimperium's zLabs concluded — and the finding carries a simple, unsettling consequence: a ready-made bank-fraud tool is now being rented on Telegram so that even low-skill criminals can take over victims' phones and intercept banking sessions.

How RedWing is packaged and sold

Zimperium's zLabs identified the operation and says RedWing is offered as a complete product on Telegram, marketed with subscription tiers, referral discounts, step-by-step guides and how‑to videos. A Telegram bot builds each buyer a custom app on demand. The researchers note the kit resembles an earlier, commercially rented tool: "it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool documented earlier this year."

Infection chain: fake stores, staged prompts, and sideloading

RedWing begins with a phishing link that opens a fake app-store page. The kit's dropper builder can impersonate Google Play, the Galaxy Store, and AppGallery — or create fully custom pages complete with fake ratings, reviews and download counts — and then urge the user to install the app from outside the official store. The malicious installer stages permission requests one screen at a time, keeping a harmless-looking web page visible while pop-up cards ask for seemingly routine actions: turn off battery limits, make the app the default SMS handler, and switch on notifications. It also requests Android's Accessibility service, which the malware abuses to read the screen and control the phone.

What RedWing can do once permissions are granted

  • Create fake login overlays that appear over real banking and cryptocurrency apps to steal passwords.
  • Read incoming SMS messages for one‑time passcodes and use Accessibility to capture codes, card numbers and PINs as they appear on screen.
  • Silently forward incoming calls to attackers by dialing a hidden carrier code (*21*), defeating phone‑based verification and bank callback checks.
  • Stream the live screen and log keystrokes so operators can watch and control the phone in real time.
  • Activate the camera and microphone, read local files, steal contacts and call logs, and track location.
  • Pool infected phones to flood a target website with traffic, functioning as a denial‑of‑service tool.

Targeting mechanics and geographic signals

Buyers select their targets, and RedWing splits targeting across two mechanisms. The set of apps the dropper watches through Accessibility is built into each copy, meaning a fresh app can be created to order once a buyer picks targets. Overlay targets — the fake login screens — can be swapped later from the malware's control panel without pushing a new app to victims. Zimperium counted 82 targeted institutions across several sectors, with a strong focus on Russian financial firms, though researchers caution that the list can shift at any time. One sample used a fake page for Russia's RuStore; experts say the operation appears linked to Russian threat actors but stop short of a definitive attribution.

What this means for individual users, managed-device administrators, and targeted financial firms

  • Individual users should install apps only from official stores and treat any "update" that arrives by link or text message as suspect; they should not enable "install from unknown sources" and should refuse Accessibility, default‑SMS handler or battery‑exemption permissions for apps with no clear reason to need them. Users should also watch for apps that hide their icon after installation.
  • Managed‑device administrators can enforce the same protections centrally: block sideloading, and flag or block apps that request Accessibility or the default‑SMS role.
  • Financial firms identified as targets — and the teams defending them — need to treat suspicious session behavior as the signal. Researchers warn that app names are a poor tracking mechanism because the kit can be reskinned and overlay targets swapped; the behavioral indicators and published indicators of compromise are the more reliable ways to hunt for infections.

RedWing requires no Android exploit: it succeeds only when a user installs the app from outside an official store and approves the requested prompts. That shifts the first line of defense to what happens at install time — a simple decision that can still determine whether an attacker gains full control of a phone. Researchers have published indicators of compromise for defenders who want to hunt for the activity, and they emphasize that the code can reappear under new names, so vigilance must focus on behavior rather than on app labels.

The immediate fact is stark: a commercially packaged Android fraud kit, complete with on‑demand app builders and operator conveniences, is available through Telegram. Whether defenders can keep pace will hinge on enforcing install‑time controls, detecting anomalous device behavior, and following the IoCs researchers have published.

Source: The Hacker News