- 969
- 261
A new banking malware, RedWing, has appeared on Android, acting as a ready-made service for scammers. It's rented out through Telegram, with pricing plans, referral discounts, instructions, and training videos. Even a criminal without development skills simply needs to pay a subscription and receive a tool for stealing banking data.
The operation was discovered by specialists at Zimperium zLabs. According to their data , RedWing is similar to a new variant of Oblivion , a previously reported malware that costs $300 per month.
Buyers don't even need to build the app themselves: a Telegram bot generates a custom APK for the chosen targets.
Infection begins with a phishing link that leads to a fake app store page. The builder can replicate Google Play, Galaxy Store, AppGallery, and even create custom pages with fake ratings, reviews, and download counters. The victim is then persuaded to install the app, bypassing the official store and granting it the necessary permissions. RedWing operates carefully: it doesn't overwhelm the user with everything at once, but rather requests access permissions one by one. First, it disables battery restrictions, then configures the app as an SMS handler, enables notifications, and finally grants accessibility. This is where the phone effectively begins to operate for more than just the owner. After gaining access, the malware can display fake login windows over banking and cryptocurrency apps, read SMS messages with one-time codes, extract PINs and card numbers from the screen, perform keylogging, and broadcast the screen to the operator. Even worse, RedWing can discreetly enable call forwarding for incoming calls via the *21* code to intercept bank checks and anti-fraud calls. Its arsenal also includes access to the camera and microphone, theft of files, contacts, and call logs, geolocation tracking, and even the use of infected devices for DDoS attacks. Zimperium counted 82 target organizations, with a significant focus on Russian financial companies. One sample used a fake RuStore page. @ Anti-Malware

The operation was discovered by specialists at Zimperium zLabs. According to their data , RedWing is similar to a new variant of Oblivion , a previously reported malware that costs $300 per month.
Buyers don't even need to build the app themselves: a Telegram bot generates a custom APK for the chosen targets.
Infection begins with a phishing link that leads to a fake app store page. The builder can replicate Google Play, Galaxy Store, AppGallery, and even create custom pages with fake ratings, reviews, and download counters. The victim is then persuaded to install the app, bypassing the official store and granting it the necessary permissions. RedWing operates carefully: it doesn't overwhelm the user with everything at once, but rather requests access permissions one by one. First, it disables battery restrictions, then configures the app as an SMS handler, enables notifications, and finally grants accessibility. This is where the phone effectively begins to operate for more than just the owner. After gaining access, the malware can display fake login windows over banking and cryptocurrency apps, read SMS messages with one-time codes, extract PINs and card numbers from the screen, perform keylogging, and broadcast the screen to the operator. Even worse, RedWing can discreetly enable call forwarding for incoming calls via the *21* code to intercept bank checks and anti-fraud calls. Its arsenal also includes access to the camera and microphone, theft of files, contacts, and call logs, geolocation tracking, and even the use of infected devices for DDoS attacks. Zimperium counted 82 target organizations, with a significant focus on Russian financial companies. One sample used a fake RuStore page. @ Anti-Malware
