Skip to main content
Emerging ThreatsMalware & Ransomware

RedWing Spyware Targets Android Users via Telegram

Smartphone on cluttered desk with blurred screen, laptop and papers nearby.

Zimperium's zLabs counted 82 targeted institutions, most of them Russian financial firms, in a new Android spyware campaign that researchers say is being rented as a service on Telegram.

How RedWing is sold and delivered on Telegram

Zimperium's zLabs identified the spyware as RedWing and said operators are offering it as a polished malware-as-a-service (MaaS) operation through Telegram. A Telegram bot builds and obfuscates a malicious APK for customers, and the operation includes seller documentation, tutorial videos and a subscription model. The service even runs a referral scheme that offers discounts to users who spread the malware further.

Social engineering and distribution: fake stores, fake ratings, and permissive prompts

To attract victims, operators can generate fake app-store pages that mimic Google Play, the Galaxy Store, AppGallery and RuStore, complete with fabricated ratings and download counts. Once installed, RedWing guides victims through staged permission prompts presented as routine setup steps and cajoles users into granting high-level access including Android's accessibility service and control of the SMS inbox. The malware can hide its own icon and continue running in the background after installation.

Technical capabilities: overlays, SMS interception, call forwarding, and remote control

RedWing's primary credential-theft mechanism is a fake-overlay system. When a targeted banking or cryptocurrency app opens, the malware drops a convincing login screen on top of the real app to harvest credentials; operators can add new targets from a control panel. To defeat two-factor authentication, RedWing intercepts SMS codes and can silently forward incoming calls to an attacker's number, bypassing the confirmation calls banks may use to check for fraud. The malware also provides live VNC-style screen control, keylogging, covert camera and microphone recording, and the ability to pool infected phones into a botnet for denial-of-service attacks.

Attribution and links to existing malware families

zLabs said RedWing appears to be a new variant of an Android malware family known as Oblivion, citing shared droppers and overlay techniques. The researchers also linked the operation to Russian threat actors. Zimperium added that many RedWing samples currently slip past conventional security tools, underscoring the difficulty of detection when a threat is both modular and actively maintained.

What this means for technologists, affected banks, and end users

  • Technologists and security teams: Expect a low-barrier, commodified threat model—operators are supplying obfuscated APKs, control panels and turnkey distribution channels through Telegram. Security teams will need to look for behavior consistent with overlays, SMS interception and unauthorized use of accessibility services rather than relying solely on signature-based detection.
  • Affected banks and financial institutions: With 82 targeted institutions identified by zLabs, most of them Russian financial firms, banks should monitor for credential-theft attempts that use overlay screens and unrecognized out-of-band call forwarding. Institutions that rely on SMS or confirmation calls for transaction authentication will have to consider how those channels can be intercepted or forwarded.
  • End users and the general public: The campaign deploys convincing fake app-store pages and orchestrated permission prompts to trick users into granting invasive rights. Users encountering unexpected permission requests for accessibility features or SMS access, or unusual prompts to forward calls, are at elevated risk of takeover and exfiltration of credentials.

RedWing illustrates how a combination of automation, professionalized documentation and familiar messaging platforms can turn sophisticated mobile exploitation techniques into a consumable service for criminals. By packaging APK builders, fake storefronts, and a referral-driven sales model inside Telegram, operators have lowered the technical barrier to mounting credential theft, call and SMS interception, remote surveillance and—even—mobile-based DDoS. Zimperium's linkage to the Oblivion family and the tally of 82 targeted institutions provide concrete technical and targeting breadcrumbs; the broader question is how many infections the operation has achieved in the wild and which customers have already used the service.

Read the Zimperium zLabs report at the original source: https://www.infosecurity-magazine.com/news/redwing-android-spyware-maas/