Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service
RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service
NEWS

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service, letting even low-skill criminals take over a victim's phone, steal banking logins, intercept OTPs, and redirect calls — all against 82 targeted financial institutions.

Dylan H.

News Desk

July 7, 2026
4 min read

A fully featured Android Malware-as-a-Service operation called RedWing is being rented out on Telegram, allowing criminals with no technical skills to conduct sophisticated bank fraud and full device takeover. Researchers at Zimperium's zLabs discovered the campaign and assess RedWing as a new variant of the previously documented Oblivion banking toolkit.

A Franchise for Fraud

RedWing operates as a turnkey fraud franchise. Subscriptions are sold through a Telegram bot that automatically generates a custom APK for each subscriber, uniquely configured with the subscriber's target bank list and branding preferences. Tiered pricing, referral discounts, onboarding guides, and video tutorials lower the barrier to entry to near zero. The Telegram bot also builds convincing fake app store pages — complete with counterfeit ratings and download counts — mimicking Google Play, Samsung Galaxy Store, or AppGallery to coerce victims into sideloading the malware.

How the Attack Unfolds

Once a victim installs the fake app, RedWing walks them through a sequence of permission requests designed to appear routine:

  1. Battery optimization exemption — ensures the malware survives device sleep
  2. Default SMS handler — captures all incoming text messages including OTPs
  3. Notification access — reads and dismisses banking alerts before the victim sees them
  4. Android Accessibility Service — the master key granting persistent screen-reading and device control

With Accessibility granted, the attacker has comprehensive control of the device and can conduct fraud inside the victim's authenticated banking session, making detection by the bank far harder than traditional credential replay.

Capabilities

Zimperium's analysis revealed a surveillance and fraud toolkit that covers every major attack vector used in mobile banking fraud:

CapabilityDetails
Overlay attacksFake login screens layered over banking and crypto apps to harvest credentials
OTP interceptionSMS capture plus Accessibility API screen-scraping to bypass 2FA
Call forwardingCarrier USSD codes (e.g., *21*) redirect calls, neutralizing phone-call verification
Screen streamingReal-time live view of the victim's device screen
KeyloggingKeystroke capture across all apps
Full surveillanceCamera, microphone, file system, contacts, and GPS access
Botnet poolingCompromised devices available for DDoS operations between fraud sessions

The call forwarding capability deserves particular attention: by silently redirecting the victim's incoming calls to an attacker-controlled number, RedWing defeats bank verification workflows that rely on calling the customer back to confirm a suspicious transaction.

Targeting and Attribution

Zimperium identified 82 targeted financial institutions across multiple regions. Sample analysis revealed a pronounced focus on Russian financial firms and Russia's RuStore alternative app store, leading Zimperium to assess the threat actors as likely Russian-affiliated — though the researchers stop short of definitive attribution.

RedWing joins a crowded MaaS ecosystem that includes Fantasy Hub, Albiriox (targeting 400+ finance apps), and Klopatra. The key distinction of this generation of MaaS kits is the shift to on-device fraud — rather than stealing credentials for later replay, attackers conduct fraudulent transactions inside the victim's own authenticated session, making bank-side anomaly detection significantly harder.

Why Signatures Fail Here

Zimperium specifically notes that RedWing's rapid repackaging under new names and identifiers means app identity is not a reliable detection signal. New APK hashes, package names, and signing certificates can be generated per subscriber by the Telegram bot, making signature-based mobile security tools ineffective. Behavioral detection is the only reliable defense.

Defensive Recommendations

For individuals:

  • Only install apps from official stores (Google Play Store, Apple App Store)
  • Be deeply suspicious of any app requesting Accessibility Service, default SMS, or battery optimization exemption
  • Monitor your bank accounts and call forwarding settings regularly (##002# to check and clear forwarding)

For enterprises and security teams:

  • Enforce MDM policies that block sideloading and unknown sources
  • Flag behavioral indicators: any app requesting Accessibility + default-SMS combination on enrollment is high risk
  • Deploy behavioral mobile threat defense (MTD) rather than signature-based scanning
  • Brief employees on the sideloading social engineering tactics used in fake store pages

References

  • The Hacker News — RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service
  • Zimperium zLabs Mobile Threat Research
#Malware#Android#MaaS#Banking#Telegram#RedWing#Mobile Security#Threat Intelligence

Related Articles

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid

Researchers at HUMAN Security uncovered Trapdoor, a sophisticated Android ad fraud and malvertising operation that used 455 malicious apps and 183...

4 min read

Fake Call History Apps Stole Payments From Users After 7.3

Cybersecurity researchers discovered 28 fraudulent Android apps on Google Play claiming to offer call history lookups, which instead enrolled users in...

6 min read

''NoVoice'' Android Malware on Google Play Infected 2.3

A new Android malware named NoVoice was discovered hiding in over 50 apps on the Google Play Store, with a combined download count of at least 2.3...

5 min read
Back to all News