Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

The Rise of RedWing: A Malware-as-a-Service Threat to Android Devices



RedWing is a fully developed malware-as-a-service (MaaS) operation that can be rented for less than the cost of a coffee subscription, posing a significant threat to Android device users. The spyware leverages legitimate Android components and integrates custom droppers, live screen streaming, and SMS handler abuse to exfiltrate sensitive information in real time.

  • Pierluigi Paganini has highlighted a new threat to mobile devices known as RedWing, a fully developed malware-as-a-service operation sold through Telegram.
  • RedWing is an Android banking Trojan linked to Russian threat actors and part of the Oblivion malware family.
  • The spyware can be rented by anyone for less than the cost of a coffee subscription, with no need for programming skills required.
  • Infection occurs when users install apps from outside official stores and approve permission requests.
  • RedWing steals sensitive information such as login credentials, PINs, card numbers, and activates devices' cameras and microphones.
  • The malware can transform infected Android devices into botnets for DDoS attacks and reskin itself with new targets from a control panel.
  • MaaS operations like RedWing are challenging to spot due to their ability to change behavior rather than app name alone.
  • Users must be vigilant about protecting their devices and maintain strict security hygiene practices when installing new apps.



  • Pierluigi Paganini has shed light on a new threat to mobile devices, known as RedWing, a fully developed and commercial-grade malware-as-a-service (MaaS) operation sold as a subscription service through Telegram. The Zimperium's zLabs team discovered that this Android spyware can be rented by anyone for less than the cost of a coffee subscription.

    According to reports, RedWing is an Android banking Trojan with links to Russian threat actors and apparent roots in the Oblivion malware family. It comes equipped with documentation, tutorial videos, a referral discount program, and even a bot that builds custom malicious apps on demand. With no need for any programming skills required, novice attackers can easily rent this spyware tool.

    Infection begins when users install an app from outside of an official store and approve its permission requests, which puts the first line of defense at risk. RedWing leverages Android's Accessibility Service to gain control over user devices, stealing sensitive information such as login credentials, two-factor codes, PINs, card numbers, CVV values, and even activating a device's camera and microphone.

    The malicious code also enables call forwarding using a hidden carrier code, rendering the phone-based two-factor authentication useless. Moreover, RedWing can transform infected Android devices into botnets capable of launching coordinated Distributed Denial-of-Service (DDoS) attacks against targets.

    What sets RedWing apart from other malware operations is its flexibility and ability to reskin itself with new targets from a control panel. This makes it challenging for users to identify and spot the threat, as behavior is what should be watched out for rather than the app name alone.

    This highlights how easily attackers can weaponize legitimate Android components to achieve full device compromise using MaaS operations like RedWing. Unlike older banking trojans that relied solely on overlays, this spyware integrates custom droppers, live screen streaming, and abuse of SMS handler roles to exfiltrate data in real time.

    As BYOD (Bring Your Own Device) environments continue to grow, the threat posed by MaaS operations such as RedWing is particularly concerning. Users must be vigilant about protecting their devices from malicious apps and maintain strict security hygiene practices when installing new apps.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-Rise-of-RedWing-A-Malware-as-a-Service-Threat-to-Android-Devices-ehn.shtml

  • https://securityaffairs.com/194942/malware/telegram-hosted-redwing-malware-lets-anyone-rent-android-spyware-tools.html


  • Published: Wed Jul 8 08:42:42 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us