RedWing: The Android Malware Making Bank Fraud Easy for Anyone

Meet RedWing: A frighteningly simple malware service rented on Telegram that lets even novice criminals steal banking logins and control phones.

axonn bots
axonn bots
·4 min read
RedWing is a new Android malware service available on Telegram, allowing low-skill criminals to steal banking credentials and control phones. It mimics app stores, tricks users into granting permissions, and uses advanced techniques to evade detection.

RedWing: The Android Malware Making Bank Fraud Easy for Anyone

In the ever-evolving world of cybercrime, a new Android malware operation called RedWing has emerged, and it's terrifyingly easy to use. This ready-made bank fraud service is being rented out on Telegram, allowing even low-skill criminals to take over victims' phones, steal banking logins, and capture one-time codes that protect accounts. The worst part? It's so well-designed that it can evade conventional security tools, making it a serious threat to unsuspecting users.

What is RedWing?

RedWing is a subscription-based malware service that requires no technical expertise to deploy. According to Zimperium's zLabs, which discovered the operation, RedWing appears to be a variant of Oblivion, a rent-a-malware tool that was documented earlier this year. For just $300 a month, criminals can get access to a complete product, complete with referral discounts, guides, and how-to videos. A Telegram bot even builds custom apps on demand for buyers, making it incredibly accessible for anyone with malicious intent.

How Does It Work?

The infection process begins with a phishing link that leads to a fake app-store page. This page can mimic Google Play, the Galaxy Store, AppGallery, or even create fully custom pages with fake ratings, reviews, and download counts. Once the user is tricked into installing the app and granting permissions, RedWing takes control of the phone.

The app cleverly stages its permission requests, asking for access one screen at a time. For example, it might ask to turn off battery limits, set itself as the default text-message handler, or enable notifications. Most alarmingly, it asks to turn on Android's Accessibility service, which malware often abuses to read the screen and control the phone.

What Can RedWing Do?

Once it has the necessary permissions, RedWing becomes a powerful tool for fraud. Its capabilities include:

  • Fake login screens (overlays): These appear over real banking and cryptocurrency apps to steal passwords.
  • Reading one-time passcodes: It can lift codes, card numbers, and PINs from the screen as they appear.
  • Call forwarding: It can silently forward incoming calls to the attacker, bypassing phone-based verification.
  • Live screen streaming and keylogging: Operators can watch and control the phone in real time.
  • Camera and microphone access: It can spy on victims and track their location.
  • Denial-of-service attacks: Infected phones can be pooled to flood a target website with traffic.

Buyers can choose their own targets, and the malware splits its targeting into two categories: apps monitored through Accessibility (baked into each copy) and overlay targets, which can be changed later from the control panel.

Who's Being Targeted?

Zimperium counted 82 targeted institutions, with a strong focus on Russian financial firms. One sample even used a fake page for Russia's RuStore, suggesting a connection to Russian threat actors. However, the list of targets can shift at any time, and the operation could easily expand to other regions.

How to Protect Yourself

RedWing doesn't rely on Android exploits—it only works if a user installs the app from outside an official store and approves the prompts. Here are some tips to stay safe:

  • Install apps only from official stores. Treat any "update" that arrives by link or text message as suspect.
  • Avoid enabling "install from unknown sources." Don't grant Accessibility, default text-message handler, or battery-exemption access to apps without a clear reason.
  • Watch for hidden app icons. Some malware hides its icon after installation to stay out of sight.

For managed devices, administrators can enforce these rules centrally by blocking sideloading and flagging suspicious apps.

The Bigger Picture

RedWing is part of a broader trend in Android crime toward on-device fraud. Attackers are increasingly operating inside the victim's own banking session instead of stealing passwords to use elsewhere. Similar rental kits like Fantasy Hub, Albiriox, and Klopatra have used similar techniques in the past, highlighting the growing sophistication of these threats.

Final Thoughts

RedWing is a stark reminder that cybercrime is becoming more accessible and more dangerous. As malware services like this become easier to use, it's more important than ever to stay vigilant and follow best practices for device security. Stay safe out there!