Hacking

RedWing Android Malware Rented as Bank Fraud Service

Published  ·  6 min read

A new bank fraud scheme involving an Android malware-as-a-service operation can be leased via Telegram for carrying out the crime. The malware is named RedWing. 

It allows even unskilled hackers to control the victim's device and steal banking credentials along with one-time codes used for securing accounts.

Zimperium's zLabs found the operation. It appears to be a new variant of Oblivion, a rent-a-malware tool documented earlier this year. RedWing is sold as a complete product with subscription tiers, referral discounts, guides, and how-to videos. Buyers need no malware-writing skills. A Telegram bot builds each customer a custom app on demand.

A substantial number of the resulting droppers and payloads currently evade conventional security tools.

The Infection Process

The attack starts with a phishing link that opens a fake app-store page. The kit's dropper builder can mimic Google Play, the Galaxy Store, and AppGallery. It can also build fully custom pages complete with fake ratings, reviews, and download counts. 

The page coaxes the user into installing the app from outside the official store and approving its permissions.

The app stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards request permissions framed as routine tasks: turn off battery limits, set the app as the default text-message handler, and switch on notifications.

It also asks to turn on Android's Accessibility service. This is the critical permission that malware abuses to read the screen and control the phone.

What RedWing Can Do

With the necessary permissions granted, RedWing gains broad control over the device. 

Its capabilities include:

  • Overlay attacks: It generates overlays on top of banking and cryptocurrency applications, which look like legitimate interfaces that require passwords for logging in.
  • Two-factor authentication attack: It scans incoming messages to detect one-time passcodes sent to users’ phones. Also use the Accessibility service to grab codes, card details, and PINs from the display.
  • Call forward hijack: In this case, the malware quietly redirects the calls of the victim to that of the attacker through the use of carrier codes. This makes it impossible for phone authentication as well as bank transaction checks to be carried out.
  • Live screen recording and keylogging: The operators will be able to view and even operate the phone remotely. They will therefore be able to see exactly what the victim is seeing and even type.
  • Surveillance: It can switch on the camera and microphone, read files, steal contacts and call logs, and track location.
  • DDoS capability: The malware can pool infected phones to flood a target website with traffic.

How the Targeting Works

Buyers choose their own targets. The apps the malware watches through Accessibility are baked into each copy. This means a fresh app is built to order once a buyer picks targets. The overlay targets can be changed later from the control panel without pushing out a new app.

The malware has been observed targeting 82 institutions across several sectors, with a strong focus on Russian financial firms. One sample used a fake page for Russia's RuStore, suggesting the operation is tailored for the Russian market. 

Experts say the operation appears linked to Russian threat actors but stop short of confirming it.

A Broader Trend

RedWing fits a wider move in Android crime toward on-device fraud. Attackers operate inside the victim's own banking session instead of stealing a password to use elsewhere. This makes the fraud harder to detect because it comes from the victim's own device.

A near-identical Russian-market rental kit called Fantasy Hub was documented last year. The same techniques appear in Albiriox, which targets more than 400 finance apps, and Klopatra, which used hidden remote control and fake overlays to drain accounts while victims slept.

Why This Works

RedWing does not exploit any Android vulnerability. It works only when a user installs the app from outside an official store and approves the permissions. The entire attack chain relies on user interaction and social engineering.

How to Protect Yourself

For individuals, the first line of defense is behavior at install time:

  • Install apps only from official stores like Google Play.
  • Treat any "update" that arrives by link or text message as suspect.
  • Do not turn on "install from unknown sources."
  • Do not grant Accessibility, default text-message handler, or battery-exemption access to an app with no clear reason to need it.
  • Watch for an app that hides its icon after it installs. This is a common trick used by malware to stay out of sight.

For organizations with managed devices, the same choices can be enforced centrally: block sideloading and flag apps that request Accessibility or the default-SMS role.

The Bottom Line

RedWing is a polished, commercial Android banking trojan sold as a service. Fake app stores. Custom-built droppers. Overlay attacks. Call forwarding hijack. Live screen streaming. All delivered through a Telegram bot.

Because the kit can be reskinned and its overlay targets swapped from a panel, the same code will keep resurfacing under new names. App names are a poor way to track it. The behavior is the signal.

Do not install apps from unknown sources. Do not grant Accessibility to untrusted apps. And treat any request to become the default SMS app with extreme suspicion.

FAQ Section

What is RedWing?

RedWing is an Android banking malware operation rented out on Telegram as a service. It allows criminals to steal banking logins, intercept 2FA codes, and hijack calls.

How does the infection begin?

The infection begins with a phishing link leading to a fraudulent app-store site where the victim is convinced to install an app and provide permission.

Which permissions does RedWing ask for?

RedWing asks for accessibility service permission, default SMS handler permission, battery exemption permission, and notifications permission. RedWing provides itself full control of the infected machine.

What can RedWing do?

It can show a false login screen, read 2FA codes, divert call, mirror the screen, keystroke logging, camera access, microphone access, and location tracking.

Which institutions are targeted?

The malware has been observed targeting 82 institutions, with a strong focus on Russian financial firms. The target list can be changed from the control panel.

How can I protect myself?

Install apps only from official stores. Do not provide Accessibility or default SMS application permissions to unknown applications. Consider all hidden applications as potentially dangerous.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067