Banking-Crypto phishing windows | Image: zLabs
| Malware family | RedWing (Android spyware/RAT; suspected new variant of Oblivion) |
| Threat actor | Unnamed operators; suspected Russian-nexus, not confirmed |
| Target / victims | Mobile banking, crypto, and messaging users; 82 institutions targeted |
| Delivery vector | Mobile phishing sites and droppers posing as app stores; sideloaded APKs |
| Key capabilities | Credential overlays, SMS/2FA interception, call forwarding, VNC, keylogging, camera/mic capture, DDoS |
| Source | Zimperium zLabs, with independent coverage |
TL;DR
Zimperium’s zLabs team uncovered RedWing, an Android malware sold as a rental service. Operators lease the RedWing Android malware through a Telegram channel, complete with pricing tiers, tutorials, and a referral scheme. Once installed, it steals banking logins, intercepts 2FA codes, and grants full remote control.
Delivery
The RedWing Android malware spreads through mobile phishing, not official app stores. A “Dropper Constructor” in the control panel builds fake store pages. These pages mimic Google Play, the Galaxy Store, AppGallery, and Russia’s RuStore. Operators fake ratings, reviews, and update banners to push a victim to install. zLabs notes the panel lets operators tune “application metadata” to boost credibility. Notably, RedWing needs no Android exploit. It relies entirely on the user sideloading the app and approving its permission requests.
Infection chain
After install, RedWing runs an onboarding flow built from overlay “cards.” Each card nudges the user to grant one permission. The malware first wants a battery-optimization exemption, default SMS handler status, and notification access. It then pushes for Android’s Accessibility Service. That permission is the master key. With it, RedWing can read the screen, simulate taps, and lift data as it appears. The app also hides its icon to stay out of sight.
Command-and-control and data theft
RedWing reports each granted permission to its C2 in real time. That telemetry tells operators which commands will work. From the panel, attackers drop fake login overlays on top of real banking and crypto apps. These injects capture card numbers, PINs, and seed phrases. The malware reads incoming texts to grab one-time codes. It can also switch on silent call forwarding through a hidden carrier code, which defeats voice-based 2FA. zLabs counted 82 targeted institutions, most of them Russian financial firms.
The surveillance goes further. RedWing streams the screen over VNC using the MediaProjection API. A built-in keylogger captures on-screen input. Operators can trigger the camera and microphone, read files, steal contacts and call logs, and track location. Infected phones can even be pooled into a DDoS botnet.
Built to order
The targeting design is telling. The apps watched through Accessibility are baked into each compiled copy. That points to a fresh app built server-side once a buyer picks targets. Overlay targets, by contrast, can change from the panel at any time.
Attribution
Attribution is suspected, not confirmed. zLabs says RedWing “appears to have links to Russian threat actors.” The team also sees it as a likely new variant of the Oblivion malware, based on shared droppers and overlays. Reports describe Oblivion as an earlier rent-a-malware kit priced near $300 a month. Treat both links as suspected.
A commercial-grade operation
RedWing sells like a real product. zLabs calls it a “fully developed, commercial-grade MaaS product.” Advertised plans reportedly run from a free one-hour test up to $200 per month in USDT. A referral scheme pays 15% to 25% commission to spread it. Present those figures as sellers’ claims. This malware-as-a-service model lets low-skill buyers run bank fraud with no coding.
How to stay protected
Users can block most of this risk at install time. Install apps only from official stores. Avoid sideloading APKs from links, ads, or chats. Be wary of any app that demands Accessibility, default SMS, or notification access without a clear reason. Watch for apps that hide their icon after setup. Banks should treat sudden call-forwarding and SMS anomalies as fraud signals. For the full technical breakdown, read Zimperium’s RedWing analysis.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.