A new threat in the form of Android malware, known as RedWing, is being offered as a service on Telegram, targeting users' banking credentials. This malicious operation allows cybercriminals, regardless of their technical proficiency, to hijack a victim's device, steal banking logins, and capture one-time passwords (OTPs) required for account access. Discovered by Zimperium's zLabs, RedWing appears to be a new variant of the previously identified Oblivion malware, which was available for rent earlier this year.
RedWing is marketed as a comprehensive package, featuring subscription options, referral discounts, instructional guides, and videos, eliminating the need for buyers to have malware development skills. A Telegram bot assists buyers in creating custom apps on demand. Notably, many of these apps evade standard security measures. The infection process begins with a phishing link leading to a counterfeit app store page, which mimics popular platforms like Google Play, Galaxy Store, and AppGallery. Users are tricked into installing the app outside official app stores and granting it the necessary permissions.
Once installed, the app requests permissions through staged prompts, asking users to disable battery limits, set the app as the default SMS handler, and enable notifications. Crucially, it also seeks access to Android's Accessibility service, a feature that malware exploits to monitor the screen and manipulate the device. With these permissions, RedWing gains extensive control over the phone.
RedWing's targeting is customizable, with buyers able to select specific targets. The malware monitors apps through Accessibility settings, and these targets are integrated into each app version. Overlay targets, however, can be modified later via the control panel without the need for app updates. Zimperium identified 82 financial institutions, predominantly Russian, as targets, suggesting a strong focus on the Russian market. While RedWing's operations seem linked to Russian threat actors, definitive attribution remains elusive.
This malware represents a broader trend in Android crime, shifting towards on-device fraud, where attackers exploit banking sessions directly on the victim's device instead of merely stealing passwords. Similar tactics were observed in Fantasy Hub, Albiriox, and Klopatra malware kits, all of which targeted financial apps.
RedWing's success hinges on users installing the app outside official stores and granting permissions. Therefore, preventing such installations and enforcing strict app permission policies on managed devices are critical defense measures. Researchers have shared indicators of compromise for teams interested in detecting RedWing, emphasizing the importance of behavioral analysis over app names, as the malware can easily be rebranded and redeployed.


