RedWing turns Android bank fraud into a Telegram rental
Zimperium's zLabs details RedWing, an Android bank-fraud MaaS sold on Telegram — Oblivion variant, subscription tiers, prebuilt droppers, 82 target banks.
Zimperium’s zLabs group has published a writeup of a new Android malware-as-a-service operation it calls RedWing, sold as a rental on Telegram and, from the report’s evidence, built as a fresh variant of Oblivion — the $300-a-month rent-a-malware kit that was already floating around the same ecosystem. The Hacker News’ summary is the shorter read; the Zimperium post is where the details actually live. Nothing in the report changes the fundamentals of Android banking malware. What is worth sitting with is the shape of the packaging.
The buyer never touches the code. They speak to a Telegram bot, choose a target profile, and the bot returns a dropper — an APK tailored to the buyer’s chosen phishing lure and, if they want, a fake app-store page to serve it from. Zimperium documents lookalike pages built to mimic Google Play, Galaxy Store, AppGallery, and, in at least one sample, RuStore, which is the tell the report leans on when it flags the operation as focused on Russian financial firms without going as far as attributing it to Russian threat actors. The MaaS itself is sold as tiers, with a referral discount and, per Zimperium, a set of guides and how-to videos to walk paying customers through the onboarding. The malware-writing labor has been factored out of the criminal side of the transaction entirely.
What the payload actually does, in one paragraph
The capability set is not novel; the completeness is what earns the
writeup. Once installed, RedWing asks for the Android Accessibility
service through a staged sequence of pop-up cards presented as routine
setup, plus the default SMS-handler role, a battery-exemption bypass, and
notification access. It hides its own icon. From there, it runs fake login
overlays on top of banking and cryptocurrency apps, reads incoming SMS to
capture one-time codes, uses Accessibility to lift codes/card numbers/PINs
directly off the screen, silently forwards calls via the carrier *21*
prefix to defeat phone-based verification, streams the screen live,
keylogs, and can turn on the camera and microphone. Zimperium counts 82
targeted institutions across several sectors. The operator side gets a
control panel that swaps the overlay set without pushing an app update —
which means one dropper in the field is not one target list; it is
whatever list the panel says it is today. Zimperium has published
indicators of compromise and recommends behavioral detection over
name-matching, since the dropper names are per-customer.
Analysis
There is a version of this story where the interesting part is Android’s permission model — how the Accessibility service, designed for legitimate assistive tech, keeps ending up as the load-bearing primitive for banking-trojan operators, and how the “install from unknown sources” toggle keeps ending up as the load-bearing primitive for social engineering. Those are real conversations. Google is having them. Samsung is having them. They are not new conversations.
The interesting part of RedWing is that none of that is what the customer is buying. What the customer is buying is the removal of every skill required to be an Android banking trojan operator except for the ability to buy a subscription and follow a video. Building the malware is not their job. Registering the domain is not their job. Compiling the APK is not their job. Staying ahead of the antivirus signatures — the write-up notes the current droppers evade conventional tooling — is not their job. Their job is picking the target list from the control panel and pointing victims at the fake store page. There is a slow trend in criminal tooling where the specialist labor keeps moving to the vendor side of the relationship and the customer side keeps flattening into a workflow, and RedWing is a clean example of it — Fantasy Hub last quarter, Klopatra before that, Albiriox alongside them. The gatekeepers on this side of the industry aren’t the ones we’ve spent the last decade worrying about.
For defenders, the honest answer is the small one: Zimperium’s report has the IOCs, the behavioral signals are the ones already familiar to mobile-threat teams, and the individual-user advice is the same it has been for ten years — install from the store, treat any “update” that arrives by link or SMS as suspect, do not grant Accessibility access to anything that hasn’t earned it, and check whether an app has quietly removed its own icon. For everyone else, RedWing is a datapoint about where the labor goes when you productize a crime. The same mistake, different decade.
Found this useful? Share it.
