CyberSecurity

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

Published

on

RedWing Android malware: A new Telegram rental for bank fraud

A fresh Android malware operation, dubbed RedWing, is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim’s phone, steal their banking logins, and capture the one-time codes that protect their accounts.

Security researchers at Zimperium‘s zLabs unit, which discovered the operation, say it appears to be a new variant of Oblivion — a $300-a-month rent-a-malware tool that’s been circulating in underground forums since late 2023.

The rise of Malware-as-a-Service (MaaS) on messaging platforms like Telegram is lowering the barrier to entry for cybercrime. RedWing is the latest example, packaging sophisticated Android bank fraud into a subscription model anyone can buy.

How RedWing works: Remote access and OTP theft

RedWing is a Remote Access Trojan (RAT) specifically designed for Android devices. Once installed — often through malicious apps sideloaded from third-party stores or phishing links — it can:

  • Take over the victim’s screen in real time, allowing the attacker to see everything the user does.
  • Steal banking credentials by overlaying fake login pages on top of legitimate banking apps.
  • Intercept one-time passwords (OTPs) sent via SMS, defeating two-factor authentication.
  • Log keystrokes and capture screenshots, giving the attacker full visibility into the device.

The malware communicates with its command-and-control (C2) server over encrypted channels, making detection harder for traditional antivirus tools. Zimperium’s zLabs says RedWing targets over 100 banking apps globally, with a particular focus on European and Latin American financial institutions.

Oblivion connection: A $300-a-month malware family

Zimperium’s analysis reveals strong code similarities between RedWing and the Oblivion malware family. Oblivion, first documented in early 2024, was sold as a subscription service for $300 per month on Telegram and dark web forums. It offered similar capabilities — screen recording, keylogging, and SMS interception — but RedWing appears to be an upgraded version.

Key differences include:

  • Improved obfuscation to evade Google Play Protect and other security scanners.
  • New anti-analysis tricks, such as detecting if it’s running in an emulator or sandbox environment.
  • Expanded target list with more banking apps and cryptocurrency wallets.

The pricing for RedWing hasn’t been disclosed publicly, but Zimperium suspects it follows a similar subscription model. The Telegram channel advertising the service boasts features like “24/7 support” and “regular updates” — a sign that the operators are treating it as a professional business.

Telegram as a marketplace for cybercrime tools

Telegram has become a hub for cybercriminal activity, from selling stolen data to renting out malware. The platform’s encrypted messaging, large file sharing, and channel features make it ideal for underground marketplaces. RedWing’s operators use Telegram channels to advertise their product, provide customer support, and distribute updates.

This isn’t new. Researchers have documented dozens of MaaS operations on Telegram, including ransomware builders, DDoS-for-hire services, and phishing kits. What makes RedWing notable is its focus on Android bank fraud — a lucrative niche where even low-skill attackers can drain accounts if they have the right tools.

For victims, the consequences can be severe: emptied bank accounts, stolen identities, and months of financial recovery. For banks, it means constantly updating fraud detection systems to catch new variants of malware.

How to protect against RedWing and similar threats

Android users can take several steps to reduce their risk:

  • Only install apps from the Google Play Store. Sideloading apps from unknown sources is the primary infection vector for RedWing.
  • Review app permissions carefully. If a flashlight app asks for SMS access or screen overlay permissions, that’s a red flag.
  • Enable Google Play Protect and keep it updated. It won’t catch everything, but it blocks many known malware samples.
  • Use a reputable mobile security app that can detect malicious behavior in real time.
  • Never click on links in unsolicited SMS or email messages claiming to be from your bank. Instead, open your banking app directly.

For security teams, Zimperium recommends monitoring for traffic patterns associated with RedWing’s C2 servers and integrating mobile threat detection into their existing security stack.

The bigger picture: MaaS is here to stay

RedWing is just the latest in a growing wave of Malware-as-a-Service offerings. As long as there’s demand for easy-to-use cybercrime tools, developers will build them and market them on platforms like Telegram. The barrier to entry for digital bank fraud has never been lower.

For consumers, the takeaway is clear: treat your phone like a wallet, because that’s exactly what attackers see it as. And for the security industry, the challenge is keeping up with an ever-evolving threat landscape where a new variant can appear on Telegram overnight.

Zimperium’s full technical report on RedWing is available on their blog, with indicators of compromise (IOCs) for security teams to use. The company says it’s sharing its findings with Google and affected financial institutions to help mitigate the threat.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version