Full Report
A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim's phone, steal their banking logins, and capture the one-time codes that protect their accounts. Zimperium's zLabs, which found the operation, says it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool
Analysis Summary
# Tool/Technique: RedWing (Android Banking Trojan)
## Overview
RedWing is a mobile Malware-as-a-Service (MaaS) operation distributed via Telegram. It functions as a sophisticated banking Trojan and Remote Access Trojan (RAT) designed to facilitate on-device fraud. By abusing Android's Accessibility services and other system permissions, it allows attackers to intercept one-time passwords (OTPs), manipulate banking apps via overlays, and gain full remote control of the compromised device.
## Technical Details
- **Type**: Malware Family (Banking Trojan / RAT)
- **Platform**: Android
- **Capabilities**: Overlay attacks, SMS interception, Accessibility Service abuse, Keylogging, Screen Streaming, Call Forwarding, and DDoS.
- **First Seen**: Documented July 2026 (Likely active earlier in 2026).
## MITRE ATT&CK Mapping
- **[TA0031 - Network Effects]**
- [T1498 - Denial of Service]
- **[TA0037 - Command and Control]**
- [T1511 - Common Protocols]
- **[TA0035 - Collection]**
- [T1417 - Input Capture]
- [T1417.001 - Keylogging]
- [T1430 - Location Tracking]
- [T1512 - Screen Capture]
- **[TA0030 - Persistence]**
- [T1624 - Event Triggered Execution]
- [T1624.001 - Accessibility Service]
- **[TA0033 - Credential Access]**
- [T1411 - Input Injection] (Overlays)
- [T1636.002 - SMS Messages]
## Functionality
### Core Capabilities
- **Phishing Overlays**: Generates fake login screens over banking and cryptocurrency applications to harvest credentials.
- **SMS Exfiltration**: Intercepts incoming text messages to capture 2FA/MFA codes.
- **Accessibility Abuse**: Uses Android Accessibility services to scrape screen content, including card numbers and PINs, and to automate actions.
- **Call Manipulation**: Uses the `*21*` carrier code to enable silent call forwarding, preventing banks from reaching victims for fraud verification.
- **Dropper Customization**: A Telegram-based bot generates custom droppers that mimic legitimate app stores (Google Play, Galaxy Store, RuStore).
### Advanced Features
- **Live RAT Functionality**: Supports real-time screen streaming and micro-management of the device by the operator.
- **Device Pooling (DDoS)**: Can aggregate infected devices to perform distributed denial-of-service attacks against specific web targets.
- **AV Evasion**: Employs a builder that generates fresh payloads frequently to bypass traditional signature-based detection.
- **Dynamic Targeting**: Allows operators to update overlay targets via a control panel without needing to reinstall the malware on the victim's device.
## Indicators of Compromise
*Note: Specific hashes were not provided in the source text. Analysts should look for the following patterns.*
- **File Names**: Often masquerades as system updates, browser updates, or banking security plugins.
- **Network Indicators**:
- `t[.]me/` (Telegram bot API used for C2 and builder interactions)
- Look for traffic to non-standard domains mimicking official app stores (`galaxy-store-update[.]com`, etc.).
- **Behavioral Indicators**:
- Requests for "Accessibility Service" under suspicious circumstances.
- Unexpected request to become the "Default SMS App."
- Hidden application icons immediately following installation.
- Unusual battery drain due to constant background screen streaming.
## Associated Threat Actors
- **Unknown (Likely Russian-speaking)**: Strong indicators point to Russian origin due to the targeting of Russian financial institutions and the use of the RuStore-themed phishing templates.
## Detection Methods
- **Signature-based**: Monitor for known variants of the "Oblivion" or "RedWing" codebase.
- **Behavioral Detection**:
- Identification of apps requesting `BIND_ACCESSIBILITY_SERVICE` combined with `RECEIVE_SMS`.
- Detection of the `*21*` MMI code execution which triggers call forwarding.
- Monitoring for high-frequency screen scraping or overlay creation.
## Mitigation Strategies
- **Prevention**:
- Restrict Android devices to "Official Sources Only" (disable Sideloading).
- Educate users to never grant "Accessibility Service" or "Default SMS Handler" permissions to unknown or third-party apps.
- **Hardening**:
- Use Mobile Threat Defense (MTD) solutions that can detect overlay activity and unauthorized SMS access.
- Implement "binding" of banking apps to hardware tokens rather than SMS-based 2FA where possible.
## Related Tools/Techniques
- **Oblivion**: The predecessor or parent variant of RedWing.
- **Fantasy Hub**: A near-identical Russian-market rental kit identified in late 2025.
- **Albiriox**: Another MaaS Trojan targeting over 400 financial apps.
- **Klopatra**: A banking Trojan specialized in remote control and overnight account draining.