TTP Advisory: RedWing Android Malware | No CVE | Threat Type: Malware-as-a-Service (MaaS) | Target: Android banking credentials, OTP codes | Platform: Telegram | Price: $300/month | Discovered by: Zimperium zLabs
What Happened
Zimperium zLabs has discovered a new Android malware operation called RedWing being rented out on Telegram as a ready-made bank-fraud service. RedWing is a variant of the Oblivion rent-a-malware tool, documented earlier this year at $300/month. The operation is sold as a complete product with subscription tiers, referral discounts, guides, and how-to videos — requiring no malware-writing skill from buyers. A Telegram bot builds each buyer a custom dropper app on demand. The dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or build fully custom pages with fake ratings and reviews. A substantial number of resulting droppers and payloads currently evade conventional security tools.
Infection Chain
- Phishing link — victim receives SMS or social media link
- Fake app store page — the kit builds realistic storefronts (Google Play, Galaxy Store, AppGallery)
- Dropper installation — sideloaded APK with accessibility service abuse
- Credential theft — overlay attacks on banking apps
- OTP interception — SMS and notification interception for one-time codes
Impact
RedWing gives low-skill criminals the ability to take over victims’ phones, steal banking logins, and capture the one-time codes that protect their accounts. The MaaS model means the barrier to entry for banking fraud has been substantially lowered — anyone with $300 can become an Android bank fraud operator.
Mitigation
- Install apps only from official stores: Side-loading apps is the primary infection vector.
- Deploy mobile threat defense (MTD): Solutions that detect sideloaded apps and fake store pages.
- Monitor SMS phishing: Watch for phishing campaigns with fake app download links targeting employees.
- Disable installation from unknown sources: Enterprise-managed devices should enforce this policy.
Recommendations
- Enterprise Android devices: Enforce strict app installation policies via MDM.
- User awareness: Warn employees about SMS phishing campaigns that mimic app stores.
- Banking customers: Use banking apps with biometric authentication that is harder to bypass via overlay attacks.
References
- The Hacker News: RedWing Android MaaS
- Zimperium zLabs Research Report
Part of the Vulnerability Intelligence series on threat-modeling.com. July 8, 2026 Report.
