A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim's phone, steal their banking logins, and capture the one-time codes that protect their accounts.
RedWing is sold as a complete product, in subscription tiers with referral discounts, guides, and how-to videos, so a buyer needs no malware-writing skill. A Telegram bot builds each buyer a custom app on demand.
Researchers say a substantial number of the resulting droppers and payloads currently evade conventional security tools.
Infection starts with a phishing link that opens a fake app-store page. The kit's dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or build fully custom pages, complete with fake ratings, reviews, and download counts. The page then coaxes the user into installing the app from outside the official store and approving its permissions.
The app stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards request permissions framed as routine: turn off battery limits, set the app as the default text-message handler, and switch on notifications.
It also asks to turn on Android's Accessibility service, which malware abuses to read the screen and control the phone.
With those permissions, RedWing has broad control of the phone. Its capabilities include:
- Fake login screens, called overlays, that appear over real banking and cryptocurrency apps to steal passwords.
- Reading incoming texts for one-time passcodes, and using Accessibility to lift codes, card numbers, and PINs off the screen as they appear.
- Silently switching the victim's incoming calls over to the attacker, using a hidden carrier code (21) to turn on call forwarding, which knocks out phone-based verification and bank fraud-check calls.
- Live screen streaming and a keylogger, so operators can watch and control the phone in real time.
- Switching on the camera and microphone, reading files, stealing contacts and call logs, and tracking location.
- Pooling infected phones to flood a target website with traffic, a denial-of-service attack.
Buyers choose their own targets, and the malware splits its targeting into two. The apps it watches through Accessibility are baked into each copy, which points to a fresh app being built to order once a buyer picks targets. The overlay targets, by contrast, can be changed later from the control panel without pushing out a new app.
Zimperium counted 82 targeted institutions across several sectors, with a strong focus on Russian financial firms, though that list can shift at any time. The evidence points to the Russian market: one sample used a fake page for Russia's RuStore. Experts say the operation appears linked to Russian threat actors but stops short of confirming it.
RedWing fits a wider move in Android crime toward on-device fraud, where attackers operate inside the victim's own banking session instead of stealing a password to use elsewhere.
Researchers flagged a near-identical Russian-market rental kit,
Fantasy Hub, last year. The same techniques turn up in Albiriox, aimed at more than 400 finance apps, and Klopatra, which used hidden remote control and fake overlays to drain accounts while victims slept.
RedWing needs no Android exploit. It works only when a user installs the app from outside an official store and approves the prompts, so the first line of defense is what happens at install time. For individuals:
- Install apps only from official stores, and treat any "update" that arrives by link or text message as suspect.
- Do not turn on "install from unknown sources," and do not grant Accessibility, default text-message handler, or battery-exemption access to an app with no clear reason to need it.
- Watch for an app that hides its icon after it installs, a common trick for staying out of sight.
On managed devices, the same choices can be enforced centrally: block sideloading, and flag apps that request Accessibility or the default-SMS role.
Researchers have also published indicators of compromise for teams that want to hunt for it. Because the kit can be reskinned and its overlay targets swapped from a panel, the same code can keep resurfacing under new names, so app names are a poor way to track it. The behavior is the signal, not the name.
<small>Source: The Hacker News</small>