RedWing MaaS Offers Android Bank Fraud via Telegram

A new Android malware operation named RedWing is being offered as a ready-made bank fraud service through Telegram, enabling even individuals with minimal technical skills to hijack victims’ devices, steal banking credentials, and intercept one-time passcodes used for account security.

Security researchers have identified RedWing as a variant of Oblivion, a previously documented malware-as-a-service (MaaS) tool. RedWing is marketed as a comprehensive package, available through subscription tiers that include referral discounts, instructional guides, and tutorial videos, allowing purchasers to deploy the malware without any programming expertise. A Telegram bot facilitates the creation of customized malicious applications tailored to each buyer’s specifications.

These malicious applications are designed to evade traditional security measures effectively. The infection process typically begins with a phishing link that directs users to a counterfeit app store page. This page can mimic legitimate platforms such as Google Play, Samsung’s Galaxy Store, or Huawei’s AppGallery, complete with fabricated ratings, reviews, and download statistics. Users are then prompted to install the application from outside official app stores and grant it various permissions.

Once installed, the application requests permissions incrementally, presenting each request separately to avoid raising suspicion. A benign-looking webpage remains in the background while pop-up prompts ask for permissions that appear routine, such as disabling battery optimization, setting the app as the default messaging handler, and enabling notifications. Crucially, the app also requests access to Android’s Accessibility services, which, when granted, allow the malware to monitor and control the device extensively.

With these permissions, RedWing can:

  • Display fake login screens over legitimate banking and cryptocurrency applications to capture user credentials.
  • Read incoming SMS messages to intercept one-time passcodes and use Accessibility services to extract codes, card numbers, and PINs displayed on the screen.
  • Silently redirect the victim’s incoming calls to the attacker by activating call forwarding through hidden carrier codes, thereby circumventing phone-based verification and fraud detection calls from banks.
  • Stream the device’s screen live and log keystrokes, allowing operators to monitor and control the device in real-time.
  • Activate the device’s camera and microphone, access files, steal contacts and call logs, and track the device’s location.
  • Utilize infected devices to launch distributed denial-of-service (DDoS) attacks by overwhelming target websites with traffic.

Purchasers of RedWing can select their own targets. The malware’s monitoring capabilities are embedded into each copy, suggesting that a new application is generated for each buyer based on their chosen targets. However, the overlay targets can be modified later through the control panel without the need to distribute a new application.

Researchers have identified 82 targeted institutions across various sectors, with a significant focus on Russian financial organizations, though this list can change at any time. Evidence indicates that the operation is linked to Russian threat actors, although definitive attribution has not been confirmed.

RedWing exemplifies a broader trend in Android cybercrime towards on-device fraud, where attackers manipulate the victim’s own banking sessions rather than merely stealing credentials for use elsewhere. Similar techniques have been observed in other malware campaigns, such as Albiriox, which targeted over 400 financial applications, and Klopatra, which employed hidden remote control and fake overlays to drain accounts while victims were unaware.

The emergence of RedWing underscores the evolving landscape of mobile malware, where sophisticated tools are increasingly accessible to less technically skilled individuals through MaaS platforms. This democratization of cybercrime tools poses significant challenges for cybersecurity professionals and highlights the need for continuous vigilance and advanced security measures to protect users from such threats.