RedWing: New Android Malware-as-a-Service Threatens Mobile Banking
A new Android malware operation, dubbed **RedWing**, is being offered as a sophisticated bank-fraud-as-a-service on Telegram. This readily available tool empowers even low-skilled cybercriminals to compromise victim devices, steal banking credentials, and intercept crucial one-time passcodes, posing a significant threat to mobile financial security.
A new Android malware operation called **RedWing** is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim's phone, steal their banking logins, and capture the one-time codes that protect their accounts.

**Zimperium's zLabs**, which found the operation, says it looks like a new variant of **Oblivion**, a $300-a-month rent-a-malware tool documented earlier this year.
**RedWing** is sold as a complete product, in subscription tiers with referral discounts, guides, and how-to videos, so a buyer needs no malware-writing skill. A Telegram bot builds each buyer a custom app on demand.
Researchers say a substantial number of the resulting droppers and payloads currently evade conventional security tools.
## Infection Vector and Permission Abuse
Infection starts with a phishing link that opens a fake app-store page. The kit's dropper builder can mimic **Google Play**, the **Galaxy Store**, and **AppGallery**, or build fully custom pages, complete with fake ratings, reviews, and download counts. The page then coaxes the user into installing the app from outside the official store and approving its permissions.
The app stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards request permissions framed as routine: turn off battery limits, set the app as the default text-message handler, and switch on notifications.
It also asks to turn on Android's **Accessibility** service, which malware abuses to read the screen and control the phone.

## Extensive Capabilities of RedWing
With those permissions, **RedWing** has broad control of the phone. Its capabilities include:
* Fake login screens, called overlays, that appear over real banking and cryptocurrency apps to steal passwords.
* Reading incoming texts for one-time passcodes, and using **Accessibility** to lift codes, card numbers, and PINs off the screen as they appear.
* Silently switching the victim's incoming calls over to the attacker, using a hidden carrier code (*21*) to turn on call forwarding, which knocks out phone-based verification and bank fraud-check calls.
* Live screen streaming and a keylogger, so operators can watch and control the phone in real time.
* Switching on the camera and microphone, reading files, stealing contacts and call logs, and tracking location.
* Pooling infected phones to flood a target website with traffic, a denial-of-service attack.
Buyers choose their own targets, and the malware splits its targeting into two. The apps it watches through **Accessibility** are baked into each copy, which points to a fresh app being built to order once a buyer picks targets. The overlay targets, by contrast, can be changed later from the control panel without pushing out a new app.

**Zimperium** counted 82 targeted institutions across several sectors, with a strong focus on Russian financial firms, though that list can shift at any time. The evidence points to the Russian market: one sample used a fake page for Russia's **RuStore**. Experts say the operation appears linked to Russian threat actors but stops short of confirming it.
## The Trend of On-Device Fraud
**RedWing** fits a wider move in Android crime toward on-device fraud, where attackers operate inside the victim's own banking session instead of stealing a password to use elsewhere.
Researchers flagged a near-identical Russian-market rental kit, **Fantasy Hub**, last year. The same techniques turn up in **Albiriox**, aimed at more than 400 finance apps, and **Klopatra**, which used hidden remote control and fake overlays to drain accounts while victims slept.
## Mitigation and Defense Strategies
**RedWing** needs no Android exploit. It works only when a user installs the app from outside an official store and approves the prompts, so the first line of defense is what happens at install time. For individuals:
* Install apps only from official stores, and treat any "update" that arrives by link or text message as suspect.
* Do not turn on "install from unknown sources," and do not grant **Accessibility**, default text-message handler, or battery-exemption access to an app with no clear reason to need it.
* Watch for an app that hides its icon after it installs, a common trick for staying out of sight.
On managed devices, the same choices can be enforced centrally: block sideloading, and flag apps that request **Accessibility** or the default-SMS role.
Researchers have also published indicators of compromise for teams that want to hunt for it. Because the kit can be reskinned and its overlay targets swapped from a panel, the same code can keep resurfacing under new names, so app names are a poor way to track it. The behavior is the signal, not the name.