î „Swati Khandelwalî ‚Jul 07, 2026Malware / Mobile Security

A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim’s phone, steal their banking logins, and capture the one-time codes that protect their accounts.

Zimperium’s zLabs, which found the operation, says it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool documented earlier this year.

RedWing is sold as a complete product, in subscription tiers with referral discounts, guides, and how-to videos, so a buyer needs no malware-writing skill. A Telegram bot builds each buyer a custom app on demand.

Researchers say a substantial number of the resulting droppers and payloads currently evade conventional security tools.

Infection starts with a phishing link that opens a fake app-store page. The kit’s dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or build fully custom pages, complete with fake ratings, reviews, and download counts. The page then coaxes the user into installing the app from outside the official store and approving its permissions.

The app stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards request permissions framed as routine: turn off battery limits, set the app as the default text-message handler, and switch on notifications.

It also asks to turn on Android’s Accessibility service, which malware abuses to read the screen and control the phone.

With those permissions, RedWing has broad control of the phone. Its capabilities include:

  • Fake login screens, called overlays, that appear over real banking and cryptocurrency apps to steal passwords.
  • Reading incoming texts for one-time passcodes, and using Accessibility to lift codes, card numbers, and PINs off the screen as they appear.
  • Silently switching the victim’s incoming calls over to the attacker, using a hidden carrier code (*21*) to turn on call forwarding, which knocks out phone-based verification and bank fraud-check calls.
  • Live screen streaming and a keylogger, so operators can watch and control the phone in real time.
  • Switching on the camera and microphone, reading files, stealing contacts and call logs, and tracking location.
  • Pooling infected phones to flood a target website with traffic, a denial-of-service attack.

Buyers choose their own targets, and the malware splits its targeting into two. The apps it watches through Accessibility are baked into each copy, which points to a fresh app being built to order once a buyer picks targets. The overlay targets, by contrast, can be changed later from the control panel without pushing out a new app.

Zimperium counted 82 targeted institutions across several sectors, with a strong focus on Russian financial firms, though that list can shift at any time. The evidence points to the Russian market: one sample used a fake page…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 7, 2026