RedWing Android Spyware Sold as a Service on Telegram

Cybersecurity researchers have identified a new Android spyware strain, dubbed RedWing, being distributed as a malware-as-a-service (MaaS) through the Telegram messaging platform. This operation provides criminals with sophisticated tools to hijack mobile devices and steal sensitive banking credentials, even if they possess limited technical expertise. The RedWing MaaS is characterized by comprehensive seller documentation, tutorial videos, and a subscription-based model, making it accessible to a wider range of threat actors. Researchers have tentatively linked the operation to Russian threat actors, noting that many current samples evade conventional security solutions.
What distinguishes RedWing is its user-friendly acquisition and deployment process. A dedicated Telegram bot assists customers by building and obfuscating the malicious Android Package Kit (APK) files. The service also incentivizes its spread through a referral program offering discounts for new customer acquisition. Furthermore, operators can generate convincing fake app-store pages, designed to mimic legitimate platforms like Google Play, the Samsung Galaxy Store, Huawei's AppGallery, and Russia's RuStore. These deceptive pages include fabricated ratings and download counts to trick unsuspecting users into installing the malware.

Upon installation, RedWing employs a deceptive tactic by presenting a series of permission requests disguised as routine setup steps. This process aims to trick users into granting the malware essential permissions, including access to Android's accessibility services and the ability to control the SMS inbox. Once these permissions are secured, RedWing can conceal its icon and operate discreetly in the background, making it difficult for users to detect.
The primary functionality of RedWing revolves around credential harvesting through the use of fake login overlays. When a user launches a targeted banking or cryptocurrency application, RedWing displays a convincing fake login screen on top of the legitimate app, capturing the user's entered credentials. The control panel provided to operators allows them to easily add new financial institutions to the list of targets. Researchers have identified approximately 82 targeted institutions, with a significant portion being Russian financial firms.
To circumvent two-factor authentication (2FA) mechanisms, RedWing is capable of intercepting SMS-based authentication codes. Additionally, it can silently forward incoming calls to an attacker-controlled number, effectively bypassing the call-based verification methods that banks use to detect fraudulent activity. This dual approach significantly enhances the malware's ability to compromise user accounts.

Beyond credential theft and 2FA bypass, RedWing offers advanced surveillance capabilities. It provides live Virtual Network Computing (VNC) screen control, allowing attackers to remotely view and interact with the infected device's screen. The malware also includes keylogging functionality to capture keystrokes and can covertly record audio and video using the device's microphone and camera. These features enable comprehensive data exfiltration and surveillance of the victim.
Infected devices can also be leveraged for more extensive network attacks. RedWing has the capability to enlist compromised phones into a botnet, which can then be used to launch distributed denial-of-service (DDoS) attacks against targeted infrastructure. This turns individual victims' devices into tools for larger-scale cybercrime operations.
Analysis by Zimperium suggests that RedWing is likely a new iteration of an existing Android malware family known as Oblivion. This conclusion is based on similarities observed in the shared droppers and overlay techniques employed by both malware strains, indicating a potential evolution or rebranding of previously identified threats.





