Researchers uncovered RedWing, an Android malware-as-a-service platform sold on Telegram that steals banking credentials and bypasses two-factor authentication.
Cybercriminals are increasingly renting malware instead of building it themselves, and a newly discovered Android toolkit called RedWing is the latest example of that growing trend.
Researchers at Zimperium zLabs say the malware is being advertised on Telegram as a subscription service, allowing customers to generate malicious Android apps, create phishing campaigns and manage infected devices without needing to develop their own software.
The researchers believe RedWing is an evolution of Oblivion, another Android malware-as-a-service platform identified earlier this year. While the operation is currently focused on customers of Russian banks and cryptocurrency services, its techniques are not tied to a specific region and could easily be adapted for use elsewhere.
Victims are typically directed to fake websites designed to look like trusted app stores, including Google Play, Galaxy Store and Huawei AppGallery. After installing what appears to be a legitimate application, they unknowingly hand attackers broad control over their device.
Once running, RedWing abuses Android’s Accessibility Service to capture banking credentials, intercept one-time passcodes sent by SMS and display convincing fake login screens over legitimate apps. The malware can also collect contacts, call logs and other information stored on the phone, while allowing attackers to remotely control the infected device.
One capability that stands out is its ability to activate call forwarding without the victim realizing it. By redirecting incoming calls, attackers may be able to intercept phone-based verification requests used by banks as an additional layer of account security.
According to Zimperium, the service includes a Telegram bot that helps subscribers generate customized malware, along with phishing templates, management tools and setup documentation. By packaging everything into a ready-made service, RedWing lowers the barrier to entry for criminals who lack the skills to create their own malware.
The platform is another reminder that the business of cybercrime is becoming increasingly commercial. Instead of writing malicious code from scratch, attackers can now rent complete toolkits, much like legitimate software subscriptions, and quickly launch campaigns against mobile users.
For Android users, the tactics themselves aren’t new. What has changed is how accessible they’ve become. As services like RedWing continue to emerge, sophisticated mobile banking attacks are no longer limited to highly skilled threat actors, making it more important than ever to avoid installing apps from unofficial sources and to be cautious of requests for Accessibility permissions.
Related articles :
__Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.__