Security Affairs
Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools

RedWing: The Android Banking Trojan You Can Rent on Telegram for Less Than a Coffee Subscription Zimperium’s zLabs team has uncovered RedWing, an Android spyware operation sold as a subscription service through Telegram, with links to Russian threat actors and apparent roots in the Oblivion malware family. It comes with documentation, tutorial videos, a referral […]

RedWing Malware

RedWing: The Android Banking Trojan You Can Rent on Telegram for Less Than a Coffee Subscription

Zimperium’s zLabs team has uncovered RedWing, an Android spyware operation sold as a subscription service through Telegram, with links to Russian threat actors and apparent roots in the Oblivion malware family.

It comes with documentation, tutorial videos, a referral discount program, and a bot that builds custom malicious apps on demand. No malware-writing skill required.

“Far from being just another basic piece of malware sold online, RedWing is a fully developed, commercial-grade MaaS product with seller documentation, videos, and a bot-driven subscription model that provides a low entry barrier for novice attackers.” reads the report published by Zimperium. “As a proof of this, the APK customization/obfuscation/creation can be fully implemented through telegram.”

Infection starts with a phishing link that opens a fake app store page. The dropper builder can mimic Google Play, the Samsung Galaxy Store, or Huawei’s AppGallery with fake ratings, reviews, and download counts.

“the C2 panel features a sophisticated ‘Onboarding Constructor‘. Within the ‘Stealer’ configuration module, operators can deploy a deceptive ‘WebView + Cards’ interface. This mechanism loads a benign-looking webpage in the background to establish legitimacy, while sequentially overlaying customized permission prompts (cards) from the bottom of the screen.” continues the report. “Through tailored social engineering lures, the malware coerces the user into granting critical system access, specifically targeting three core permissions: disabling Battery Optimization (to ensure uninterrupted background execution), setting the application as the Default SMS handler (crucial for intercepting 2FA codes), and access to Notifications.”

Once installed, the app walks the victim through permission screens one at a time, disable battery optimization, set the app as the default SMS handler, enable notifications, framed as routine setup steps.

With those permissions in place, RedWing has deep system access. It deploys fake login screens over real banking and crypto apps to steal credentials, reads incoming texts to capture one-time codes, and uses Android’s Accessibility Service to lift PINs, card numbers, and CVV values directly off the screen as they appear.

The malicious code also silently enables call forwarding using a hidden carrier code, 21, redirecting all incoming calls to an attacker-controlled number, which knocks out phone-based two-factor authentication and bank fraud-prevention calls in one move.

The researchers pointed out that the surveillance capabilities go further. RedWing can remotely activate a victim’s camera and microphone, recording audio through commands sent from the attacker’s server with configurable recording duration.

“The malware is capable of remotely activating the cameras and the microphone of an infected device (Fig. 12). This functionality is executed via specific commands. For instance, the <take_photo> command allows the attacker to remotely capture images using the device’s camera. Similarly, the <start_recording> command leverages the MediaRecorder API to capture ambient audio.” continues the report. “This audio recording process is managed entirely from the remote server, which allows the attacker to configure the exact duration of the recording, among other parameters.”

On top of that, operators get live screen streaming via VNC, a real-time keylogger, access to all files on the device, contact lists, call logs, and location tracking.

The targeting architecture reveals something telling about how RedWing is built. The apps it monitors through Accessibility are baked into each compiled copy, which points to a fresh APK being generated server-side each time a buyer specifies their targets. The overlay targets, by contrast, can be updated from the control panel at any time without distributing a new app.

Zimperium identified 82 targeted institutions across multiple sectors, with a heavy focus on Russian financial firms, one sample used a fake RuStore page, though the list can shift at any time from the operator’s dashboard.

RedWing doesn’t need any Android vulnerability to work. It relies entirely on the user installing an app from outside an official store and approving its permission requests. The first line of defense is what happens at install time: don’t install apps from links sent by text or messaging apps, don’t grant Accessibility or default-SMS access to apps with no clear reason to need them, and treat any app that hides its icon after installation as a red flag. On managed devices, sideloading can be blocked centrally and suspicious permission requests flagged automatically.

RedWing can also transform infected Android devices into a botnet capable of launching coordinated DDoS attacks. Through its control panel, attackers can command multiple compromised phones at once to send traffic floods against a target website or server, disrupting its availability and adding another capability beyond spying and data theft.

Because operators can reskin the app and swap its targets from the control panel, the app name is a poor indicator, behavior is what to watch for.

“The rapid rise of Malware-as-a-Service (MaaS) operations like RedWing shows how easily attackers can weaponize legitimate Android components to achieve full device compromise. Unlike older banking trojans that rely solely on overlays, RedWing integrates custom droppers, live screen streaming, and abuse of the SMS handler role and Accessibility to exfiltrate data and impersonate legitimate apps in real time.” concludes the report. “This blend of social engineering and hijacking the incoming calls makes this deep-system control especially dangerous in BYOD and consumer-facing environments where app-store trust is assumed.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Malware)