A fully featured Android Malware-as-a-Service operation called RedWing is being rented out on Telegram, allowing criminals with no technical skills to conduct sophisticated bank fraud and full device takeover. Researchers at Zimperium's zLabs discovered the campaign and assess RedWing as a new variant of the previously documented Oblivion banking toolkit.
A Franchise for Fraud
RedWing operates as a turnkey fraud franchise. Subscriptions are sold through a Telegram bot that automatically generates a custom APK for each subscriber, uniquely configured with the subscriber's target bank list and branding preferences. Tiered pricing, referral discounts, onboarding guides, and video tutorials lower the barrier to entry to near zero. The Telegram bot also builds convincing fake app store pages — complete with counterfeit ratings and download counts — mimicking Google Play, Samsung Galaxy Store, or AppGallery to coerce victims into sideloading the malware.
How the Attack Unfolds
Once a victim installs the fake app, RedWing walks them through a sequence of permission requests designed to appear routine:
- Battery optimization exemption — ensures the malware survives device sleep
- Default SMS handler — captures all incoming text messages including OTPs
- Notification access — reads and dismisses banking alerts before the victim sees them
- Android Accessibility Service — the master key granting persistent screen-reading and device control
With Accessibility granted, the attacker has comprehensive control of the device and can conduct fraud inside the victim's authenticated banking session, making detection by the bank far harder than traditional credential replay.
Capabilities
Zimperium's analysis revealed a surveillance and fraud toolkit that covers every major attack vector used in mobile banking fraud:
| Capability | Details |
|---|---|
| Overlay attacks | Fake login screens layered over banking and crypto apps to harvest credentials |
| OTP interception | SMS capture plus Accessibility API screen-scraping to bypass 2FA |
| Call forwarding | Carrier USSD codes (e.g., *21*) redirect calls, neutralizing phone-call verification |
| Screen streaming | Real-time live view of the victim's device screen |
| Keylogging | Keystroke capture across all apps |
| Full surveillance | Camera, microphone, file system, contacts, and GPS access |
| Botnet pooling | Compromised devices available for DDoS operations between fraud sessions |
The call forwarding capability deserves particular attention: by silently redirecting the victim's incoming calls to an attacker-controlled number, RedWing defeats bank verification workflows that rely on calling the customer back to confirm a suspicious transaction.
Targeting and Attribution
Zimperium identified 82 targeted financial institutions across multiple regions. Sample analysis revealed a pronounced focus on Russian financial firms and Russia's RuStore alternative app store, leading Zimperium to assess the threat actors as likely Russian-affiliated — though the researchers stop short of definitive attribution.
RedWing joins a crowded MaaS ecosystem that includes Fantasy Hub, Albiriox (targeting 400+ finance apps), and Klopatra. The key distinction of this generation of MaaS kits is the shift to on-device fraud — rather than stealing credentials for later replay, attackers conduct fraudulent transactions inside the victim's own authenticated session, making bank-side anomaly detection significantly harder.
Why Signatures Fail Here
Zimperium specifically notes that RedWing's rapid repackaging under new names and identifiers means app identity is not a reliable detection signal. New APK hashes, package names, and signing certificates can be generated per subscriber by the Telegram bot, making signature-based mobile security tools ineffective. Behavioral detection is the only reliable defense.
Defensive Recommendations
For individuals:
- Only install apps from official stores (Google Play Store, Apple App Store)
- Be deeply suspicious of any app requesting Accessibility Service, default SMS, or battery optimization exemption
- Monitor your bank accounts and call forwarding settings regularly (
##002#to check and clear forwarding)
For enterprises and security teams:
- Enforce MDM policies that block sideloading and unknown sources
- Flag behavioral indicators: any app requesting Accessibility + default-SMS combination on enrollment is high risk
- Deploy behavioral mobile threat defense (MTD) rather than signature-based scanning
- Brief employees on the sideloading social engineering tactics used in fake store pages