[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRl1BQ8SUtCJYhdjf8DMsRwaiUbMCK49Q240SEQ-pqus":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"5180831f-ba60-40a4-ba53-e80136d3b6ea","RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service","redwing-maas-packages-android-bank-fraud-as-a-telegram-rental-service-319811","A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim's phone, steal their banking logins, and capture the one-time codes that protect their accounts. Zimperium's zLabs, which found the operation, says it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool","A new Android malware operation named RedWing is being offered as a rental service on Telegram, enabling low-skill criminals to steal banking credentials and one-time passcodes. This \"malware-as-a-service\" (MaaS) package, potentially a variant of Oblivion, provides custom-built apps, tutorials, and evasion techniques. It targets users through phishing links that lead to fake app stores, requesting extensive permissions including Accessibility services to gain control over the device.","RedWing MaaS offers Android bank fraud tools via Telegram rental service.","RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service Swati KhandelwalJul 07, 2026Malware \u002F Mobile Security A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim's phone, steal their banking logins, and capture the one-time codes that protect their accounts. Zimperium's zLabs, which found the operation, says it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool documented earlier this year. RedWing is sold as a complete product, in subscription tiers with referral discounts, guides, and how-to videos, so a buyer needs no malware-writing skill. A Telegram bot builds each buyer a custom app on demand. Researchers say a substantial number of the resulting droppers and payloads currently evade conventional security tools. Infection starts with a phishing link that opens a fake app-store page. The kit's dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or build fully custom pages, complete with fake ratings, reviews, and download counts. The page then coaxes the user into installing the app from outside the official store and approving its permissions. The app stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards request permissions framed as routine: turn off battery limits, set the app as the default text-message handler, and switch on notifications. It also asks to turn on Android's Accessibility service, which malware abuses to read the screen and control the phone. With those permissions, RedWing has broad control of the phone. Its capabilities include: Fake login screens, called overlays, that appear over real banking and cryptocurrency apps to steal passwords. Reading incoming texts for one-time passcodes, and using Accessibility to lift codes, card numbers, and PINs off the screen as they appear. Silently switching the victim's incoming calls over to the attacker, using a hidden carrier code (*21*) to turn on call forwarding, which knocks out phone-based verification and bank fraud-check calls. Live screen streaming and a keylogger, so operators can watch and control the phone in real time. Switching on the camera and microphone, reading files, stealing contacts and call logs, and tracking location. Pooling infected phones to flood a target website with traffic, a denial-of-service attack. Buyers choose their own targets, and the malware splits its targeting into two. The apps it watches through Accessibility are baked into each copy, which points to a fresh app being built to order once a buyer picks targets. The overlay targets, by contrast, can be changed later from the control panel without pushing out a new app. Zimperium counted 82 targeted institutions across several sectors, with a strong focus on Russian financial firms, though that list can shift at any time. The evidence points to the Russian market: one sample used a fake page for Russia's RuStore. Experts say the operation appears linked to Russian threat actors but stops short of confirming it. RedWing fits a wider move in Android crime toward on-device fraud, where attackers operate inside the victim's own banking session instead of stealing a password to use elsewhere. Researchers flagged a near-identical Russian-market rental kit, Fantasy Hub, last year. The same techniques turn up in Albiriox, aimed at more than 400 finance apps, and Klopatra, which used hidden remote control and fake overlays to drain accounts while victims slept. RedWing needs no Android exploit. It works only when a user installs the app from outside an official store and approves the prompts, so the first line of defense is what happens at install time. For individuals: Install apps only from official stores, and treat any \"update\" that arrives by link or text message as suspect. Do not turn on \"install from unknown sources,\" and do not grant Accessibility, default text-message handler, or battery-exemption access to an app with no clear reason to need it. Watch for an app that hides its icon after it installs, a common trick for staying out of sight. On managed devices, the same choices can be enforced centrally: block sideloading, and flag apps that request Accessibility or the default-SMS role. Researchers have also published indicators of compromise for teams that want to hunt for it. Because the kit can be reskinned and its overlay targets swapped from a panel, the same code can keep resurfacing under new names, so app names are a poor way to track it. The behavior is the signal, not the name. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, banking Trojan, Cybercrime, ddos attack, Financial Fraud, Malware, mobile security, Phishing, Threat Intelligence ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fredwing-maas-packages-android-bank.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjdqPEGRKkKA7pjGNpR8hijHzJLPvyPD1g1C8bTt91eLUOFdu6Jw99i8LFybvHG9SP3syQ8shdXpC6EhinlQoB9aTgBMtejiCWAzVhhTi0o3nCTKZeKNnwDY0J_Lbf9LGN-KIQIoJ7-GW2op-JUcBg64uz5Actwh7TsFEstwNx9fXnLj4SODskUpnX9TPE\u002Fs1600\u002Fandroid-trojan-telegram.jpg","2026-07-07T17:10:15+00:00","2026-07-07T18:00:23.580243+00:00",8,[18,21,23,26,29,31],{"name":19,"type":20},"RedWing","product",{"name":22,"type":20},"Oblivion",{"name":24,"type":25},"Telegram","technology",{"name":27,"type":28},"Zimperium","vendor",{"name":30,"type":20},"Fantasy Hub",{"name":32,"type":20},"Albiriox","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,44,46],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":45},{"id":33,"icon":35,"name":36,"slug":37},{"category":47},{"id":48,"icon":35,"name":49,"slug":50},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[52,54,56,58,60],{"type":37,"value":19,"context":53},"Name of the new Android banking trojan MaaS operation.",{"type":37,"value":22,"context":55},"Previous rent-a-malware tool that RedWing may be a variant of.",{"type":37,"value":30,"context":57},"Similar Russian-market rental kit mentioned in the article.",{"type":37,"value":32,"context":59},"Another banking trojan with similar techniques.",{"type":37,"value":61,"context":62},"Klopatra","Banking trojan using similar techniques like hidden remote control and fake overlays."]