RedWing Android Banking Malware-as-a-Service: New Rent-a-Malware Operation on Telegram Targets Banking Credentials and OTP Codes

RedWing Android Banking Malware-as-a-Service: New Rent-a-Malware Operation on Telegram Targets Banking Credentials and OTP Codes

TTP Advisory: RedWing Android Malware | No CVE | Threat Type: Malware-as-a-Service (MaaS) | Target: Android banking credentials, OTP codes | Platform: Telegram | Price: $300/month | Discovered by: Zimperium zLabs


What Happened

Zimperium zLabs has discovered a new Android malware operation called RedWing being rented out on Telegram as a ready-made bank-fraud service. RedWing is a variant of the Oblivion rent-a-malware tool, documented earlier this year at $300/month. The operation is sold as a complete product with subscription tiers, referral discounts, guides, and how-to videos — requiring no malware-writing skill from buyers. A Telegram bot builds each buyer a custom dropper app on demand. The dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or build fully custom pages with fake ratings and reviews. A substantial number of resulting droppers and payloads currently evade conventional security tools.


Infection Chain

  • Phishing link — victim receives SMS or social media link
  • Fake app store page — the kit builds realistic storefronts (Google Play, Galaxy Store, AppGallery)
  • Dropper installation — sideloaded APK with accessibility service abuse
  • Credential theft — overlay attacks on banking apps
  • OTP interception — SMS and notification interception for one-time codes

Impact

RedWing gives low-skill criminals the ability to take over victims’ phones, steal banking logins, and capture the one-time codes that protect their accounts. The MaaS model means the barrier to entry for banking fraud has been substantially lowered — anyone with $300 can become an Android bank fraud operator.


Mitigation

  • Install apps only from official stores: Side-loading apps is the primary infection vector.
  • Deploy mobile threat defense (MTD): Solutions that detect sideloaded apps and fake store pages.
  • Monitor SMS phishing: Watch for phishing campaigns with fake app download links targeting employees.
  • Disable installation from unknown sources: Enterprise-managed devices should enforce this policy.

Recommendations

  • Enterprise Android devices: Enforce strict app installation policies via MDM.
  • User awareness: Warn employees about SMS phishing campaigns that mimic app stores.
  • Banking customers: Use banking apps with biometric authentication that is harder to bypass via overlay attacks.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 8, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!