- A new Android malware operation called RedWing is being rented on Telegram as a ready-made bank-fraud service
- Zimperium’s zLabs discovered the operation, identifying it as a variant of the Oblivion rent-a-malware tool
- The malware targets 82 institutions with a strong focus on Russian financial firms and can steal passwords, one-time codes, and control devices remotely
A new Android malware operation called RedWing is being rented out on Telegram as a complete bank-fraud service, allowing low-skill criminals to take over victims’ phones and drain their accounts. Zimperium’s zLabs, which identified the threat, reports it is a variant of the Oblivion rent-a-malware tool documented earlier this year.
The malware is sold in subscription tiers with referral discounts, guides, and how-to videos, eliminating the need for any coding skill. A Telegram bot builds each buyer a custom app on demand, and researchers say many of the resulting droppers currently evade conventional security tools.
Infection begins with a phishing link that opens a fake app-store page mimicking Google Play, Galaxy Store, or AppGallery, complete with fake ratings and reviews. The app then stages permission requests one screen at a time, asking users to disable battery limits, set the app as the default SMS handler, and enable Android’s Accessibility service.
With those permissions, RedWing gains broad control, including fake login overlays for banking and crypto apps, interception of one-time passcodes, silent call forwarding to knock out phone-based verification, and live screen streaming. The malware can also activate the camera and microphone, steal contacts, track location, and even pool infected phones for denial-of-service attacks.
Zimperium counted 82 targeted institutions, with a strong focus on Russian financial firms, though the list can shift at any time. The operation fits a wider trend in Android crime toward on-device fraud, where attackers operate inside a victim’s own banking session rather than stealing credentials for use elsewhere. Researchers say the kit can be reskinned and its targets changed from a control panel, making app names a poor way to track it.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- SpaceX IPO Stock Recovers, Institutional Buyers Incoming
- Kenya Regulator Seeks Blockchain Analytics to Police Crypto
- Gemini launches commission-free stock trading for US customers
- SecondFi halts operations, focuses on asset return after $2.4M ADA exploit
- Bitcoin Holds $63K as Chip Stocks Lead US Market Dip
