Ethical Hacking News
RedWing MaaS Packages: A Growing Threat to Android Users' Banking Security
A new Android malware operation called RedWing has been discovered being rented out on Telegram as a ready-made bank-fraud service. The operation, linked to Russian threat actors, allows low-skill criminals to steal banking logins and capture one-time codes. Experts warn users to be vigilant and take necessary precautions to protect their devices from this growing threat.
RedWing, a new Android malware operation, has been discovered being rented out on Telegram as a ready-made bank-fraud service. The operation, linked to Russian threat actors, allows low-skill criminals to take over phones, steal banking logins, and capture one-time codes. RedWing is a complete product sold in subscription tiers with referral discounts, guides, and how-to videos, making it accessible to anyone without malware-writing skills. The infection process starts with a phishing link that opens a fake app-store page, then coaxes users into installing the app from outside official stores. Once installed, RedWing has broad control of the phone, including fake login screens, reading incoming texts for one-time passcodes, and using Accessibility to lift codes. The malware also silently switches incoming calls, uses live screen streaming, and has a keylogger, allowing operators to watch and control the phone in real time. Buyers can choose their own targets, and the malware splits its targeting into two, creating fresh apps for each target. The operation appears linked to Russian threat actors but stops short of confirming it, targeting 82 institutions across several sectors. RedWing fits a wider move in Android crime toward on-device fraud, and the same techniques used in earlier malware operations have turned up in RedWing. To protect against this threat, individuals should be vigilant, install apps only from official stores, and take other precautions.
RedWing, a new Android malware operation, has been discovered being rented out on Telegram as a ready-made bank-fraud service. The operation, which is believed to be linked to Russian threat actors, allows even low-skill criminals to take over a victim's phone, steal their banking logins, and capture the one-time codes that protect their accounts.
The RedWing malware operation was discovered by Zimperium's zLabs, which found that it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool documented earlier this year. The RedWing package is sold as a complete product, in subscription tiers with referral discounts, guides, and how-to videos, making it accessible to anyone who wants to steal banking information without needing any malware-writing skills.
The infection process starts with a phishing link that opens a fake app-store page. The kit's dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or build fully custom pages, complete with fake ratings, reviews, and download counts. The page then coaxes the user into installing the app from outside the official store and approving its permissions.
Once installed, the app stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards request permissions framed as routine: turn off battery limits, set the app as the default text-message handler, and switch on notifications.
With those permissions, RedWing has broad control of the phone. Its capabilities include fake login screens that appear over real banking and cryptocurrency apps to steal passwords, reading incoming texts for one-time passcodes, and using Accessibility to lift codes, card numbers, and PINs off the screen as they appear.
The malware also silently switches the victim's incoming calls over to the attacker, using a hidden carrier code (*21*) to turn on call forwarding, which knocks out phone-based verification and bank fraud-check calls. Additionally, RedWing has live screen streaming and a keylogger, so operators can watch and control the phone in real time.
The malware also switches on the camera and microphone, reads files, steals contacts and call logs, and tracks location. Furthermore, buyers can choose their own targets, and the malware splits its targeting into two. The apps it watches through Accessibility are baked into each copy, which points to a fresh app being built to order once a buyer picks targets.
Zimperium counted 82 targeted institutions across several sectors, with a strong focus on Russian financial firms. However, the list of targeted institutions can shift at any time. The operation appears linked to Russian threat actors but stops short of confirming it.
RedWing fits a wider move in Android crime toward on-device fraud, where attackers operate inside the victim's own banking session instead of stealing a password to use elsewhere. This is similar to other malware operations like Fantasy Hub and Albiriox, which were flagged by researchers last year.
The same techniques used in RedWing have turned up in these earlier malware operations. For instance, Fantasy Hub was a near-identical Russian-market rental kit, while Albiriox aimed at more than 400 finance apps.
To protect against this growing threat, individuals need to be vigilant and take several precautions. They should install apps only from official stores, treat any "update" that arrives by link or text message as suspect, do not turn on "install from unknown sources," and do not grant Accessibility, default text-message handler, or battery-exemption access to an app with no clear reason to need it.
On managed devices, the same choices can be enforced centrally: block sideloading, and flag apps that request Accessibility or the default-SMS role. Researchers have also published indicators of compromise for teams that want to hunt for RedWing malware.
Because the kit can be reskinned and its overlay targets swapped from a panel, the same code can keep resurfacing under new names, so app names are a poor way to track it. The behavior is the signal, not the name. As such, users need to stay alert to this threat and take necessary precautions.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-RedWing-MaaS-Packages-A-Growing-Threat-to-Android-Users-Banking-Security-ehn.shtml
https://thehackernews.com/2026/07/redwing-maas-packages-android-bank.html
Published: Tue Jul 7 13:05:23 2026 by llama3.2 3B Q4_K_M