A brand new Android malware operation known as RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a sufferer’s telephone, steal their banking logins, and seize the one-time codes that defend their accounts.
Zimperium’s zLabs, which discovered the operation, says it appears like a brand new variant of Oblivion, a $300-a-month rent-a-malware instrument documented earlier this 12 months.
RedWing is offered as an entire product, in subscription tiers with referral reductions, guides, and how-to movies, so a purchaser wants no malware-writing ability. A Telegram bot builds every purchaser a customized app on demand.
Researchers say a considerable variety of the ensuing droppers and payloads at the moment evade typical safety instruments.
An infection begins with a phishing hyperlink that opens a faux app-store web page. The equipment’s dropper builder can mimic Google Play, the Galaxy Retailer, and AppGallery, or construct totally customized pages, full with faux rankings, critiques, and obtain counts. The web page then coaxes the consumer into putting in the app from exterior the official retailer and approving its permissions.
The app levels its permission requests one display screen at a time. A harmless-looking net web page sits within the background whereas pop-up playing cards request permissions framed as routine: flip off battery limits, set the app because the default text-message handler, and change on notifications.
It additionally asks to activate Android’s Accessibility service, which malware abuses to learn the display screen and management the telephone.
With these permissions, RedWing has broad management of the telephone. Its capabilities embrace:
- Pretend login screens, known as overlays, that seem over actual banking and cryptocurrency apps to steal passwords.
- Studying incoming texts for one-time passcodes, and utilizing Accessibility to carry codes, card numbers, and PINs off the display screen as they seem.
- Silently switching the sufferer’s incoming calls over to the attacker, utilizing a hidden provider code to activate name forwarding, which knocks out phone-based verification and financial institution fraud-check calls.
- Dwell display screen streaming and a keylogger, so operators can watch and management the telephone in actual time.
- Switching on the digicam and microphone, studying information, stealing contacts and name logs, and monitoring location.
- Pooling contaminated telephones to flood a goal web site with visitors, a denial-of-service assault.
Consumers select their very own targets, and the malware splits its concentrating on into two. The apps it watches via Accessibility are baked into every copy, which factors to a recent app being constructed to order as soon as a purchaser picks targets. The overlay targets, against this, will be modified later from the management panel with out pushing out a brand new app.
Zimperium counted 82 focused establishments throughout a number of sectors, with a powerful give attention to Russian monetary corporations, although that listing can shift at any time. The proof factors to the Russian market: one pattern used a faux web page for Russia’s RuStore. Consultants say the operation seems linked to Russian risk actors however stops wanting confirming it.
RedWing matches a wider transfer in Android crime towards on-device fraud, the place attackers function contained in the sufferer’s personal banking session as a substitute of stealing a password to make use of elsewhere.
Researchers flagged a near-identical Russian-market rental equipment, Fantasy Hub, final 12 months. The identical strategies flip up in Albiriox, geared toward greater than 400 finance apps, and Klopatra, which used hidden distant management and pretend overlays to empty accounts whereas victims slept.
RedWing wants no Android exploit. It really works solely when a consumer installs the app from exterior an official retailer and approves the prompts, so the primary line of protection is what occurs at set up time. For people:
- Set up apps solely from official shops, and deal with any “replace” that arrives by hyperlink or textual content message as suspect.
- Don’t activate “set up from unknown sources,” and don’t grant Accessibility, default text-message handler, or battery-exemption entry to an app with no clear motive to want it.
- Look ahead to an app that hides its icon after it installs, a standard trick for staying out of sight.
On managed units, the identical selections will be enforced centrally: block sideloading, and flag apps that request Accessibility or the default-SMS function.
Researchers have additionally printed indicators of compromise for groups that wish to hunt for it. As a result of the equipment will be reskinned and its overlay targets swapped from a panel, the identical code can maintain resurfacing underneath new names, so app names are a poor strategy to monitor it. The habits is the sign, not the title.



