-
RedWing, a new malware-as-a-service tool that lets cyberattackers with little to no coding skill to build malware, is currently being distributed via Telegram.
-
The malware can steal bank logins and two-factor authentication codes, and even record audio and video on infected devices.
-
Zimperium, a cybersecurity company, says they’ve found proof connecting RedWing to Russian hackers and the Oblivion malware family.
Cybersecurity experts have discovered a new Russia-linked spyware that targets Android devices. The criminals are selling this spyware using a subscription-based service through Telegram.
The malware, referred to as RedWing, is like a starter kit for criminals. It comes with setup guides, video tutorials, and even a referral discount to rope in more people. There’s also a bot that helps subscribers build custom malware on demand.
A Complete Crime Kit in your Pocket
RedWing isn’t just another piece of malware floating around the dark web. It’s a fully developed, commercial-grade operation that lowers the barrier for entry so much that even a complete novice can become a cybercriminal.
The whole operation runs through a Telegram channel. Subscribers can pick from different price plans and, if they want, earn discounts using a referral program. The Telegram bot is very slick, it builds, customizes, and hides a malicious app, all in real time, tailored to whatever the buyer wants.
After building a bot, it can serve as a custom phishing webpage taking the appearance of legit app stores like Google Play and the Galaxy Store. The page will show fake ratings and download counts.
All of this starts the moment someone clicks on a phishing link that leads to a fake app store page. The threat of malicious apps extends to official stores, fake call history apps on Google Play have been used to defraud millions, ESET warns.
If they install the app, RedWing continues the setup by requesting permissions, and that’s where trouble really starts.
This application prompts its users to turn off battery optimization, set the application as the default for SMS messages, and get notifications. The real danger, however, comes when it asks for Accessibility permission. With that, the malware essentially owns the phone.
Stealing Data and Bypassing 2FA
Upon entry into the system, RedWing has a complete suite of tools for stealing and spying. The malicious software is capable of putting up fake login pages, or overlays, over authentic banking and cryptocurrency applications to steal credentials.
It reads incoming texts to capture one-time passcodes and uses Accessibility to pick up PINs, card numbers, and CVV values directly from the screen. Researchers have identified 82 targeted institutions so far, with a heavy focus on Russian financial firms.
One of its smartest moves includes bypassing two-factor authentication. This malware is able to secretly employ an invisible carrier code (*21*). It uses this code to redirect all the calls that come in from the infected phone to another phone number. This completely neutralizes phone-based verification and bank fraud prevention calls.
This malware takes surveillance a step further. The intruder can turn the camera and microphone on the device and take photos and record conversations. They are also capable of viewing the screen in real-time, with access to files, calls, and indeed much more.
That’s a total invasion of privacy. Researchers pointed out that the code relies on <take_photo> and <start_recording> commands to do its dirty work. The attacker can even set the recording length from a remote server. But it doesn’t end there. Once the malware enters the phone, it can turn it into a botnet node for coordinated DDoS attacks.
A New Era of Mobile Threats
RedWing represents a significant evolution in mobile malware. Unlike older Trojans that rely on basic overlays, this MaaS integrates custom droppers, live screen streaming, and deep system control.
The report concludes that combining social engineering and hijacking incoming calls makes this attack especially dangerous in environments where app-store trust is assumed.
The good news is that RedWing doesn’t exploit any Android vulnerabilities. It depends completely on the user to download the app from an unregulated source and grant permission to such apps.
The simplest method of protection against this attack is not downloading any app that sends messages through SMS or messaging applications. And never grant any app Accessibility or default-SMS permissions unless there is a valid reason.
Requesting to hide the icon of the app post-installation is another big indicator of a threat. For managed devices, there are ways to minimize the dangers.