Cyber Security

RedWing MaaS Introduces Android Banking Fraud as a Mobile Hiring Service

ISwati KhandelwalJuly 07, 2026Malware / Mobile Security

A new Android program called malware RedWing it is employed in Telegram as a ready-made fraud service. It allows even low-skilled hackers to take control of a victim’s phone, steal their bank logins, and capture the one-time codes that protect their accounts.

Zimperium’s zLabs, which discovered the operation, says it looks like a new variant of Oblivion, a $300-a-month malware rental tool listed earlier this year.

RedWing is sold as a complete product, in subscription sections with referral discounts, guides, and how-to videos, so the buyer doesn’t need the ability to write malware. The Telegraph bot builds a custom app for each customer on demand.

Researchers say a large number of tugs and payloads are currently evading conventional security tools.

The infection starts with a phishing link that opens a fake app store page. The pull kit builder can emulate Google Play, Galaxy Store, and AppGallery, or create fully custom pages, complete with fake ratings, reviews, and download statistics. The page then prompts the user to install the app outside the official store and approve its permissions.

The app categorizes its permission requests one screen at a time. A harmless-looking web page sits in the background while rogue cards ask for permissions installed as usual: turn off battery limits, set the app as the default text message handler, and turn on notifications.

It also asks to turn on the Android Accessibility service, which is misused by malware to read the screen and control the phone.

With those permissions, RedWing has extensive phone control. Its capabilities include:

  • Fake login screens, called overlays, from real banking and cryptocurrency apps to steal passwords.
  • Reading incoming texts for one-time pass codes, and using Access to highlight codes, card numbers, and PINs on the screen as they appear.
  • It silently switches the victim’s incoming calls to the attacker, using a hidden network code (*21*) to activate call forwarding, which removes phone-based authentication and bank fraud detection calls.
  • Live screen streaming and keylogger, so operators can view and control the phone in real time.
  • Changing the camera and microphone, reading files, stealing contacts and phone logs, and tracking location.
  • Combining infected phones to flood the target website with traffic, is a denial of service attack.

Consumers choose their targets, and the malware divides its targeting into two. Access viewing apps are baked into each copy, pointing to a new built-to-order app once a consumer has selected a target. The overlay target, in contrast, can be changed later from the control panel without pushing a new application.

Imperium has listed 82 targeted institutions in several sectors, with a particular focus on Russian financial firms, although that list is subject to change at any time. Evidence points to the Russian market: one sample used a fake Russian RuStore page. Experts say the operation appears to be linked to Russian terror actors but stop short of confirming it.

RedWing fits a broader move in Android piracy toward device-based fraud, where attackers work inside a victim’s banking session instead of stealing a password to use elsewhere.

Researchers flagged a similar Russian market rental kit, Fantasy Hub, last year. Similar tactics came from Albiriox, which targeted more than 400 financial apps, and Klopatra, which used a hidden remote control and fake overlays to withdraw accounts while victims slept.

RedWing does not require an Android exploit. It only works if the user installs the app outside of the official store and approves the prompt, so the first line of defense is what happens during installation. For each person:

  • Install apps from official stores only, and treat any “update” that comes via link or text message as suspicious.
  • Don’t turn on “installs from unknown sources,” and don’t give Accessibility, the default text message handler, or battery drain access to an app without a clear reason to need it.
  • Watch for an app that hides its icon after installation, a common trick to stay invisible.

For managed devices, the same choices can be enforced centrally: block sideloading, and flag apps that request Accessibility or the default SMS role.

Researchers have also published consensus guidelines for hunting groups. Because the kit can be redesigned and its overlay targets changed from the panel, the same code can keep appearing under new names, so app names are a bad way to track it. Behavior is a signal, not a word.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button