Published on July 7, 2026

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service


Severity

Medium

Detail

Researchers have identified RedWing, a new Android banking malware offered as a Malware-as-a-Service (MaaS) through Telegram. Believed to be a variant of the Oblivion malware family, RedWing enables even low-skilled threat actors to steal banking credentials, intercept one-time passcodes (OTPs), and remotely control infected Android devices.

The malware is marketed as a complete service, providing custom malware builders, phishing pages, documentation, and Telegram-based management tools, making large-scale mobile fraud more accessible to cybercriminals.

How?

The attack begins with a phishing link that directs victims to a fake app store page impersonating platforms such as Google Play, Galaxy Store, or AppGallery. Victims are persuaded to sideload a malicious application and grant a series of permissions, including Accessibility Services, notification access, battery optimization exemptions, and default SMS privileges.

Once these permissions are granted, RedWing gains extensive control over the device. It displays fake login overlays on top of legitimate banking and cryptocurrency applications to capture credentials, intercepts SMS messages and on-screen one-time passcodes, and can enable call forwarding using hidden carrier codes to redirect bank verification calls to attackers.

The malware also provides attackers with real-time remote access through live screen streaming and keylogging while allowing them to activate the device’s camera and microphone, steal contacts, call logs, files, and location data, and even use compromised devices to participate in distributed denial-of-service (DDoS) attacks. Researchers identified 82 targeted financial institutions, primarily within the Russian financial sector, although the target list can be updated remotely without redeploying the malware.

Conclusion

RedWing demonstrates the continued evolution of Android banking malware toward on-device fraud, allowing attackers to manipulate legitimate banking sessions directly instead of relying solely on stolen credentials. Its MaaS business model and customizable infrastructure significantly lower the barrier to entry for cybercriminals while increasing the scale of potential attacks.

Users should install applications only from official app stores, avoid sideloading software from links or messages, and carefully review requests for Accessibility Services, SMS permissions, and battery optimization exemptions. Organizations managing Android devices should enforce policies that block sideloading, monitor for applications requesting high-risk permissions, and detect behavioral indicators rather than relying solely on application names or signatures.

Source

https://thehackernews.com/2026/07/redwing-maas-packages-android-bank.html