Connect with us

NEWS

RedWing Android Malware Lets Anyone Rent a Bank-Fraud Bot on Telegram

Zimperium’s zLabs found RedWing, a Telegram-rented Android malware kit that steals banking passwords, lifts OTP codes, and forwards calls to bypass 2FA.

Published

on

Zimperium’s zLabs on July 7, 2026 disclosed RedWing, an Android malware-as-a-service (MaaS) platform sold on Telegram with subscription tiers, a build-to-order bot, and tutorial videos. Buyers need no malware-writing skill to deploy a full mobile bank-fraud kit.

Once installed, the kit can drop phishing overlays on real banking and crypto apps, read incoming SMS for one-time passcodes, silently forward calls to bypass phone-based verification, stream the screen live, and pivot the infected phone into a DDoS source. The Hacker News reports RedWing targets 82 institutions, with a heavy lean toward Russian financial firms. RedWing needs no Android exploit, no zero-day. The whole attack rides on a single human act: sideloading an app and approving the prompts.

A Telegram Shop With a Bot at the Counter

RedWing is sold the way a SaaS startup sells a dashboard. The marketing sits on public Telegram channels. A Telegram bot builds and obfuscates each buyer’s malicious APK on demand, so every sample is essentially custom-made. Subscription tiers, referral discounts, written guides, and how-to videos come with the package, which is why The Hacker News described the product as a kit that “needs no malware-writing skill.”

The vendor’s dropper builder can generate fake app-store pages mimicking Google Play, the Galaxy Store, AppGallery, or a fully custom storefront, complete with forged ratings, reviews, and download counts. The page then pushes the user to install the app from outside the official store. The Hacker News adds that “a substantial number of the resulting droppers and payloads currently evade conventional security tools.”

Malware-as-a-Service has fundamentally changed the economics of cybercrime by making sophisticated mobile attack capabilities commercially available. RedWing demonstrates how today’s threat actors can rent a complete attack platform capable of full device compromise, real-time surveillance, and enterprise credential theft, including the ability to intercept or bypass multi-factor authentication, all with little technical expertise.

Kern Smith, Vice President of Global Solutions at Zimperium, made the point in the company’s research write-up. He framed RedWing as evidence that mobile has become “one of the most vulnerable enterprise attack surfaces, with every compromised device representing a potential entry point into the corporate environment.” Organizations, he argued, can no longer afford to treat mobile as a secondary risk.

How the Install Sneaks Past You

RedWing needs no Android exploit. Infection starts with a mishing link that opens a fake app-store page on the victim’s phone, where the kit coaxes the user into installing the app from outside the official store and approving its permissions. The whole attack hinges on that single install step.

Once the app is installing, RedWing stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards request permissions framed as routine setup: turn off battery limits, set the app as the default text-message handler, and switch on notifications. The final ask is Android’s Accessibility service. The permission is what malware authors prize most because it lets an app read the screen and issue taps on the user’s behalf. That single grant unlocks nearly everything else the kit does.

After the prompts are accepted, the app hides its own icon, a common persistence trick. The victim sees a generic web page close and the phone looks normal, with the kit now quietly in the system tray waiting on a target. The vendor’s dropper builder is the same tool that will swap the overlay target list later, so the kit can be retuned without shipping a new app. The access survives reboot, which is the persistence piece that lets the operator come back later.

The dropper builder that ships the kit handles the page on the front end. The Telegram bot handles the malware on the back end, generating a custom APK for each buyer.

What an Operator Can Do Once It’s In

Once active, RedWing can watch the victim in real time and reach into the device’s banking and crypto apps. Its core trick is credential harvesting through fake overlays: when a victim opens a targeted bank or crypto app, the malware drops a convincing login screen on top to steal the credentials. Operators can add new overlay targets from a control panel without pushing out a new build, and the apps RedWing watches through Accessibility are baked into each copy.

To beat two-factor authentication, RedWing reads incoming SMS for one-time passcodes. It uses Accessibility to scrape codes, card numbers, and PINs off the screen as they appear. It can also silently switch the victim’s incoming calls to an attacker-controlled number using the carrier’s *21* call-forwarding code, which redirects the fraud-check calls banks use to confirm suspicious activity. The same code is what carriers document for unconditional call forwarding.

The kit also bundles live VNC screen control, a keylogger, camera and microphone access, file and contact theft, and a DDoS switch, so an operator can pivot a single infected phone from credential harvesting to traffic flooding without leaving the control panel. The full operator toolkit, per Zimperium and The Hacker News, includes:

  • Phishing overlays on real banking and cryptocurrency apps
  • One-time passcode theft from SMS and on-screen content
  • Silent call forwarding via the *21* carrier code
  • Live VNC screen streaming and a keylogger
  • Camera, microphone, contacts, files, photos, and location exfiltration
  • Pooled DDoS attacks using infected phones as traffic sources

Eighty-Two Banks and a Russian Fingerprint

Zimperium counted 82 targeted institutions across several sectors, with a strong lean toward Russian financial firms. The targeting list can shift at any time because overlay targets are swappable from the operator panel. In one sample, researchers found a fake storefront page imitating RuStore, the Russian app market, which The Hacker News reads as the operation’s home market.

Attribution is firmer on geography than on identity. Per The Hacker News, which cites unnamed researchers, the operation appears linked to Russian threat actors but stops short of confirming it. Zimperium’s own press release stops at the broader framing of mobile threats evolving “from standalone malware to commercial attack platforms available to virtually any cybercriminal.” No public attribution to a named group has been made.

RedWing is not a one-off. Zimperium’s zLabs called it a new variant of Oblivion, an earlier Android MaaS kit documented this year as a $300-a-month rental, and the same techniques have surfaced in near-identical form across a small cluster of Russian-market rentals.

The Android MaaS kits most often named alongside RedWing:

Family First documented Distinct detail
RedWing July 7, 2026 Telegram bot builds custom APKs; 82 targeted institutions with a Russian focus
Oblivion Earlier in 2026 Earlier $300-a-month Android rent-a-malware kit
Fantasy Hub 2025 Near-identical Russian-market rental kit flagged by researchers
Albiriox Not disclosed Aimed at more than 400 finance apps
Kloptera Not disclosed Hidden remote control and overlays that drain accounts while victims sleep

The Real Chokepoint Is the Install Button

RedWing needs no Android exploit, no zero-day, no Play Store compromise. The whole attack rides on a single human act, the user tapping Install on a sideloaded APK and saying yes to a handful of permission prompts dressed up as routine setup. That rebalances the defense in a way the older banking trojans never did.

The Hacker News frames the same shift as a wider move in Android crime toward on-device fraud, where attackers operate inside the victim’s own banking session rather than stealing a password to use elsewhere. The behavior is the signal, not the name, because the same code can keep resurfacing under new labels; the kit can be reskinned and its overlay targets swapped from a control panel, so app names are a poor way to track it.

A related pattern already plays out elsewhere in the malware economy, where social-engineered lures funnel users onto booby-trapped downloads. The same install-time defenses that work against RedWing apply across a related cast of mobile threats. How poisoned download pages reach users through trusted-looking ads and the NoVoice Android malware that survived a factory reset show how the same basic shape keeps repeating across the mobile threat landscape.

What Stops It

Because RedWing needs the user to install from outside the official store and approve the prompts, the first line of defense is what happens at install time. The attack chain has no kernel exploit to defend against, no zero-day to patch, and no app store to break into. For individuals, the practical guidance from Zimperium and The Hacker News comes down to four moves:

  • Install apps only from official stores, and treat any “update” that arrives by link or text message as suspect.
  • Do not turn on “install from unknown sources.”
  • Do not grant Accessibility, default text-message handler, or battery-exemption access to an app with no clear reason to need it.
  • Watch for an app that hides its icon after it installs.

On managed devices, the same choices can be enforced centrally: block sideloading, flag apps that request Accessibility or the default-SMS role, and hunt for the indicators of compromise Zimperium’s zLabs has published. Zimperium’s Mobile Threat Defense detects RedWing using on-device AI behavioral detection that does not rely on cloud lookups or known malware signatures, per the company’s RedWing’s dropper, VNC, and overlay analysis.

Frequently Asked Questions

What is RedWing malware?

RedWing is an Android malware-as-a-service platform documented by Zimperium’s zLabs on July 7, 2026. It is sold through Telegram in subscription tiers with a build-to-order bot, dropper builder, guides, and tutorial videos, and it lets buyers run phishing, credential theft, SMS interception, call forwarding, and live device surveillance on infected Android phones.

How does RedWing infect Android phones?

RedWing spreads through mobile-targeted phishing (mishing) links that lead to a fake app-store page. The page mimics Google Play, the Galaxy Store, AppGallery, or a custom storefront, and coaxes the user into installing the app from outside the official store and approving staged permission requests, including Android’s Accessibility service.

Can RedWing bypass two-factor authentication?

Yes. The kit reads incoming SMS for one-time passcodes, uses Accessibility to scrape codes, card numbers, and PINs off the screen as they appear, and can silently forward the victim’s incoming calls to an attacker-controlled number using the *21* carrier code, which redirects phone-based verification and bank fraud-check calls.

Who is behind RedWing?

Zimperium’s zLabs has not confirmed a named threat actor. Researchers say the operation appears linked to Russian threat actors but stop short of confirming it. The targeting list of 82 institutions is heavily weighted toward Russian financial firms, and one sample used a fake storefront page imitating RuStore, the Russian app market.

How is RedWing different from older Android banking trojans?

RedWing is commercialised rather than hand-built. A Telegram bot generates a custom APK for each buyer, overlay targets can be swapped from a control panel, and the kit is sold in subscription tiers with referral discounts and tutorial videos. Zimperium calls it a new variant of Oblivion and groups it with three other recent Russian-market rentals, Fantasy Hub, Albiriox, and Kloptera.

As the founder of Thunder Tiger Europe Media, Dr. Elias Thornwood brings over 25 years of experience in international journalism, having reported from conflict zones in the Middle East, Asia, and Africa for outlets like BBC World and Reuters. With a PhD in International Relations from Oxford University, his expertise lies in geopolitical analysis and global diplomacy. Elias has authored two bestselling books on European foreign policy and received the Pulitzer Prize for International Reporting in 2015, establishing his authoritativeness in the field. Committed to trustworthiness, he enforces rigorous fact-checking protocols at Thunder Tiger, ensuring unbiased, evidence-based coverage of worldwide news to empower informed global audiences.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending