Listen to this Post
Introduction: The New Era of Rented Mobile Crime
Cybercrime is becoming easier to access than ever before. What once required years of malware development knowledge can now be purchased as a subscription service through underground channels. The discovery of RedWing, a new Android malware operation offered through Telegram, highlights a dangerous shift in the cyber threat landscape: criminals no longer need to build sophisticated tools themselves. They can simply rent them.
Security researchers have uncovered RedWing as a complete mobile fraud platform designed to compromise Android devices, steal financial information, bypass security protections, and provide attackers with direct control over victims’ phones. The malware is reportedly marketed as a ready-made banking fraud service, allowing inexperienced criminals to launch attacks using preconfigured tools, tutorials, and automated builders.
The operation represents a growing trend known as Malware-as-a-Service (MaaS), where cybercriminal groups operate like software companies, offering subscriptions, customer support, and regular updates to other criminals. Instead of selling stolen data alone, these groups now sell access to the entire attack infrastructure.
RedWing Malware Emerges as a Subscription-Based Android Banking Threat
A newly discovered Android malware operation named RedWing is being distributed through Telegram as a rental service for criminals looking to perform mobile banking fraud. According to researchers from Zimperium’s zLabs team, the malware allows attackers to remotely control infected smartphones, steal banking credentials, capture authentication codes, and manipulate financial applications.
The discovery shows how mobile malware has evolved from simple information theft into a complete remote fraud ecosystem. RedWing provides attackers with everything needed to target victims, including malware generation tools, instructions, promotional material, and automated systems that create customized malicious applications.
The operation appears to be connected to a previous Android malware family known as Oblivion, another rental-based banking fraud tool previously observed in underground markets. Like many modern cybercrime platforms, RedWing lowers the technical barrier by transforming advanced hacking techniques into a service that can be purchased by almost anyone.
Telegram Becomes a Marketplace for Mobile Cybercrime Services
Telegram has increasingly become a popular platform for underground cybercriminal communities because of its encrypted communication features, large user base, and ability to host automated bots. RedWing operators reportedly use Telegram as the main marketplace where customers can purchase subscriptions and generate customized malware builds.
The malware is offered through different pricing tiers, including referral discounts, documentation, guides, and instructional videos. This business model resembles legitimate software companies, except the product being sold is designed to compromise personal devices and steal financial assets.
A Telegram bot reportedly handles much of the process automatically. Criminal buyers can request customized versions of the malware without writing code or understanding Android security mechanisms.
This represents a major problem for defenders because cyberattacks are no longer limited to highly skilled groups. Criminal tools are becoming packaged products that can be operated by individuals with minimal technical knowledge.
Fake App Stores Help RedWing Infect Android Users
RedWing infections begin with social engineering rather than technical exploits. Victims are typically targeted through phishing links that redirect them to fake application download pages designed to look like legitimate Android marketplaces.
The malware toolkit can imitate popular platforms such as Google Play, Galaxy Store, and AppGallery. Attackers can also create completely customized fake stores containing fake ratings, reviews, download counters, and professional-looking interfaces.
The goal is psychological manipulation. Instead of forcing installation through vulnerabilities, criminals convince users that they are downloading a legitimate application.
This method highlights an important reality in modern cybersecurity: human trust remains one of the most exploited vulnerabilities.
RedWing Uses Permission Manipulation to Gain Full Device Control
After installation, RedWing carefully guides victims through a series of permission requests. Instead of requesting everything at once, the malware uses a gradual approach designed to appear normal.
The application may ask users to disable battery restrictions, allow notifications, become the default messaging application, and activate Android Accessibility services.
The Accessibility service is especially dangerous because it provides malware with powerful abilities normally intended for users with disabilities. Attackers can use it to read screen contents, interact with applications, press buttons, and steal sensitive information.
Once these permissions are granted, RedWing transforms the victim’s smartphone into a remotely controlled surveillance and financial theft device.
Banking Apps Become Targets Through Fake Login Overlays
One of
These fake overlays appear when a victim opens a targeted financial app. The user believes they are entering credentials into the real application, but the information is secretly transmitted to attackers.
This technique allows criminals to steal usernames, passwords, payment information, and other authentication details without needing to break into banking systems directly.
The attack is particularly effective because the victim is interacting with a familiar application while the malware operates invisibly in the background.
One-Time Passwords Are No Longer Enough Against Modern Android Malware
Many financial institutions use one-time passwords and SMS verification as additional security layers. However, RedWing demonstrates why these protections are becoming less reliable against device-compromise attacks.
The malware can read incoming messages containing verification codes and extract sensitive information directly from the screen using Accessibility features.
It can also monitor notifications, capture card numbers, and steal PIN information as users enter them.
Instead of attacking the
Hidden Call Forwarding Allows Attackers to Bypass Security Checks
Another advanced feature discovered in RedWing is its ability to secretly activate call forwarding using carrier codes such as 21.
By redirecting incoming calls to attacker-controlled numbers, criminals can prevent victims from receiving fraud alerts, verification calls, or security notifications from banks.
This technique provides attackers with another layer of control over the victim’s identity verification process.
It demonstrates how modern mobile threats combine multiple attack methods instead of relying on a single stolen password.
Remote Surveillance Turns Infected Phones Into Spy Devices
Beyond financial theft, RedWing includes extensive surveillance capabilities.
The malware can reportedly:
Stream the
Record keystrokes.
Activate cameras and microphones.
Read files stored on the device.
Collect contacts and call history.
Track physical location.
Launch denial-of-service attacks using infected devices.
This means RedWing is not simply a banking trojan. It functions as a complete remote access tool capable of turning personal smartphones into surveillance platforms.
Attackers Customize Malware for Specific Targets
Researchers found that RedWing uses a flexible targeting system. Applications monitored through Accessibility permissions are selected during malware creation, suggesting attackers generate customized versions depending on their targets.
Overlay targets can also be modified later through a control panel without requiring a completely new malware installation.
This flexibility allows criminal operators to quickly adapt campaigns against new banks, cryptocurrency platforms, or financial services.
Russian Financial Sector Appears to Be a Major Target
Researchers identified dozens of targeted financial institutions connected to RedWing activity. The strongest focus appears to involve Russian financial organizations, although researchers have not publicly confirmed the exact identity of the operators behind the campaign.
One analyzed sample reportedly included a fake page designed to imitate Russia’s RuStore application marketplace.
Security experts believe the operation may have links to Russian-speaking cybercriminal communities, but attribution remains uncertain.
Cybersecurity investigations often avoid immediate conclusions because malware infrastructure can be copied, rented, or intentionally designed to create false evidence.
Deep Analysis: Linux Commands for Investigating Android Malware Behavior
Understanding Mobile Malware Through a Security Research Perspective
RedWing demonstrates how modern malware combines social engineering, application abuse, and remote control technologies. The biggest lesson from this campaign is that attackers no longer need advanced exploits when they can convince users to install their own compromise.
The malware economy has changed dramatically. Criminal groups now build platforms instead of individual attacks. They maintain infrastructure, provide updates, offer technical documentation, and recruit customers.
This approach creates a dangerous multiplier effect. One malware developer can enable hundreds of criminals to launch attacks.
Android has become an attractive target because of its large global user base and the flexibility of application installation. Although Android security has improved, attackers continue to exploit user behavior, especially when applications are installed outside official stores.
The most important technical weakness exploited by RedWing is not an Android vulnerability. It is permission abuse.
Accessibility services, default SMS privileges, notification access, and battery optimization exemptions are powerful features. When legitimate applications use them, they provide useful functionality. When malware receives them, they become weapons.
Security teams should focus less on malware names and more on behavioral indicators. RedWing can change branding, application names, and appearance, but its actions remain recognizable.
Useful Linux commands for malware analysis and incident response include:
adb devices
Used to identify connected Android devices during forensic analysis.
adb shell pm list packages
Lists installed applications and helps identify suspicious packages.
adb shell dumpsys package <package_name>
Displays application permissions and configuration details.
adb logcat
Collects Android system logs to investigate suspicious activity.
strings suspicious.apk | grep -i "http"
Searches malware files for hidden URLs or communication endpoints.
sha256sum suspicious.apk
Creates a cryptographic fingerprint for malware tracking.
unzip -l suspicious.apk
Shows the internal structure of an Android application package.
grep -r "AccessibilityService" extracted_apk/
Helps identify applications abusing Android accessibility features.
The future of Android security will require stronger behavioral detection, improved permission monitoring, and better user education. Traditional antivirus approaches focused on identifying known files are becoming weaker because malware services can constantly rebuild themselves.
The real battlefield is now user trust, application permissions, and device behavior.
What Undercode Say:
RedWing represents one of the clearest examples of how cybercrime is becoming industrialized. The important story is not only the malware itself but the business model behind it.
Criminal groups are adopting the same strategies used by legitimate technology companies. They create products, maintain infrastructure, provide documentation, and offer customer support.
The barrier to entry for cybercrime continues to fall. A person without programming experience can now purchase access to tools that previously required advanced malware development skills.
The mobile ecosystem is becoming increasingly valuable for attackers because smartphones contain everything needed for identity theft: banking apps, authentication messages, personal conversations, location data, and payment information.
The biggest concern is the transition from credential theft to transaction manipulation. Older malware often stole passwords and waited for criminals to use them elsewhere. Modern malware operates directly inside the victim’s device, making fraudulent actions appear legitimate.
Banks and security companies must rethink mobile authentication. SMS codes, notification-based verification, and traditional password systems are becoming weaker against malware that controls the device itself.
Android users should understand that installing an unknown application is not simply adding software. It may mean giving a stranger control over their digital identity.
The RedWing operation also shows why malware attribution is becoming harder. Criminal groups can rent infrastructure, reuse code, and modify branding. A single malware family can appear under many names across different campaigns.
The strongest defense is behavioral security. Users, companies, and security tools must recognize dangerous actions such as unexpected Accessibility requests, fake update links, and applications demanding unnecessary privileges.
The future of mobile cybersecurity will depend less on detecting individual malware samples and more on detecting suspicious behavior patterns.
✅ Confirmed: RedWing is a malware-as-a-service Android threat.
Security researchers identified the operation as a subscription-based platform designed to provide mobile fraud capabilities to criminal customers.
✅ Confirmed: The malware abuses Android Accessibility features.
Researchers found that the malware uses legitimate Android functions for malicious control, including screen interaction and information theft.
❌ Not confirmed: The exact identity of RedWing operators.
Although evidence suggests connections to Russian-speaking cybercrime markets, researchers have not officially attributed the operation to a specific group.
Prediction
(+1) Mobile security companies will develop stronger behavioral detection systems that identify suspicious permission abuse and remote-control activity before financial damage occurs.
(+1) Banks will increasingly move away from SMS-based verification toward stronger device-based authentication methods.
(+1) Governments and technology companies will increase pressure on malware marketplaces operating through encrypted communication platforms.
(-1) Malware-as-a-Service operations will continue growing because cybercriminal tools are becoming cheaper and easier to use.
(-1) Android users will remain vulnerable to social engineering campaigns that convince them to install fake applications.
(-1) Criminal groups will likely create new RedWing variants with different names, interfaces, and targeting systems to avoid detection.
▶️ Related Video (66% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




