RedWing MaaS Packages Android Bank Fraud as Telegram Rental Service
What happened
Discovered by Zimperium's zLabs, RedWing is a new Android malware operation rented through Telegram as a ready-made bank fraud service. The malware is sold in subscription tiers with referral discounts, guides, and how-to videos, lowering the barrier for low-skill criminals. A Telegram bot can generate custom malicious apps for buyers on demand, and many of the resulting droppers and payloads reportedly evade conventional security tools.
The infection starts with phishing links that lead victims to fake app-store pages. The kit can mimic Google Play, the Galaxy Store, AppGallery, or fully custom pages with fake ratings, reviews, and download counts. Victims are then pushed to install the app from outside official stores and approve permissions one step at a time, including disabling battery restrictions, setting the app as the default SMS handler, enabling notifications, and turning on Android Accessibility services.
Once those permissions are granted, RedWing can perform on-device bank fraud. It can show fake login overlays on top of real banking and cryptocurrency apps, read SMS one-time passcodes, capture codes and PINs from the screen through Accessibility, stream the screen live, log keystrokes, control the phone, activate the camera and microphone, steal files, collect contacts and call logs, and track location. It can also silently activate call forwarding using a hidden carrier code, disrupting bank verification calls and phone-based fraud checks.
The malware’s targets can be customized by its buyers. Some app-monitoring targets are baked into each generated copy, while overlay targets can be changed later from the control panel. Researchers counted 82 targeted institutions across several sectors, with a strong focus on Russian financial firms. The operation appears linked to Russian threat actors, though that attribution has not been confirmed.
Who is affected
Android users are directly affected if they install RedWing apps from phishing links or fake app-store pages and approve the requested permissions.
Banking and cryptocurrency users face the highest risk because RedWing is designed to steal logins, intercept one-time codes, manipulate calls, and operate inside the victim’s own device session.
Organizations with Android devices in their environment are also affected if employees can sideload apps, grant Accessibility permissions, or use unmanaged phones for banking, finance, authentication, or business communications.
Why CISOs should care
RedWing shows how mobile banking fraud is becoming productized. Buyers do not need to write malware; they can rent the service, generate custom apps, choose targets, and operate from a control panel.
For CISOs, the on-device fraud model is especially important. Instead of only stealing credentials for later use, attackers can operate inside the victim’s phone, watch the screen, intercept codes, and defeat some phone-based verification checks.
The abuse of Accessibility and default SMS permissions also matters. These permissions are powerful by design, but when granted to malware, they can provide screen visibility, interaction control, and access to authentication flows.
The campaign also reinforces that app names and branding are weak indicators. The kit can be reskinned and its overlay targets changed, so defenders need to focus on sideloading, permission abuse, and behavior rather than a single app name.
3 practical actions
Block sideloading on managed Android devices: RedWing requires users to install apps from outside official stores. CISOs should enforce mobile device management controls that block unknown sources and prevent installation from phishing links.
Alert on risky mobile permissions: Security teams should flag apps requesting Accessibility, default SMS handler status, notification access, battery optimization exemptions, screen capture, or hidden icon behavior without a clear business reason.
Train users on fake app-store pages and update lures: RedWing uses realistic fake stores with ratings, reviews, and download counts. Users should be warned not to install banking, wallet, security, or update apps from links in messages, emails, or ads.
More in cybersecurity:


