Post

Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools

Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools

🚨 Telegram-Hosted RedWing Malware: A New Threat!

Zimperium’s zLabs team has uncovered RedWing, an Android spyware operation sold as a subscription service through Telegram, linked to Russian threat actors and rooted in the Oblivion malware family. This service includes documentation, tutorial videos, a referral discount program, and a bot that builds custom malicious apps on demand, requiring no malware-writing skills.

The report highlights that RedWing is not just another basic piece of malware; it is a fully developed, commercial-grade MaaS (Malware-as-a-Service) product with comprehensive seller documentation and a bot-driven subscription model that lowers the entry barrier for novice attackers.

How It Works

Infection begins with a phishing link that opens a fake app store page, capable of mimicking Google Play, the Samsung Galaxy Store, or Huawei’s AppGallery. The C2 panel features a sophisticated ‘Onboarding Constructor’, and within the ‘Stealer’ configuration module, operators can deploy a deceptive ‘WebView + Cards’ interface. Through tailored social engineering lures, the malware coerces users into granting critical system access, specifically targeting three core permissions:

  • Disabling Battery Optimization
  • Setting the application as the Default SMS handler (crucial for intercepting 2FA codes)
  • Access to Notifications

Once these permissions are granted, RedWing can deploy fake login screens over real banking and crypto apps to steal credentials, read incoming texts to capture one-time codes, and use Android’s Accessibility Service to lift PINs, card numbers, and CVV values directly off the screen.

Additional Capabilities

The malicious code can also silently enable call forwarding using a hidden carrier code, redirecting all incoming calls to an attacker-controlled number, which disrupts phone-based two-factor authentication and bank fraud-prevention calls. Furthermore, RedWing can remotely activate a victim’s camera and microphone, recording audio through commands sent from the attacker’s server, with configurable recording duration. Operators gain live screen streaming via VNC, a real-time keylogger, and access to all files, contact lists, call logs, and location tracking on the device.

Zimperium identified 82 targeted institutions across multiple sectors, with a heavy focus on Russian financial firms. RedWing can also transform infected Android devices into a botnet capable of launching coordinated DDoS attacks. This operation relies entirely on the user installing an app from outside an official store and approving its permission requests, rather than exploiting Android vulnerabilities.

The report concludes that the rapid rise of Malware-as-a-Service (MaaS) operations like RedWing demonstrates how easily attackers can weaponize legitimate Android components to achieve full device compromise. RedWing integrates custom droppers, live screen streaming, and abuses the SMS handler role and Accessibility to exfiltrate data and impersonate legitimate apps in real-time.

For more details, check out the full article: Read full article

This post is licensed under CC BY 4.0 by the author.