Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

The Hacker News by The Hacker News
July 7, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Swati KhandelwalJul 07, 2026Malware / Mobile Security

A new Android malware operation called RedWing is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim’s phone, steal their banking logins, and capture the one-time codes that protect their accounts.

Zimperium’s zLabs, which found the operation, says it looks like a new variant of Oblivion, a $300-a-month rent-a-malware tool documented earlier this year.

RedWing is sold as a complete product, in subscription tiers with referral discounts, guides, and how-to videos, so a buyer needs no malware-writing skill. A Telegram bot builds each buyer a custom app on demand.

Researchers say a substantial number of the resulting droppers and payloads currently evade conventional security tools.

Infection starts with a phishing link that opens a fake app-store page. The kit’s dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or build fully custom pages, complete with fake ratings, reviews, and download counts. The page then coaxes the user into installing the app from outside the official store and approving its permissions.

The app stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards request permissions framed as routine: turn off battery limits, set the app as the default text-message handler, and switch on notifications.

It also asks to turn on Android’s Accessibility service, which malware abuses to read the screen and control the phone.

With those permissions, RedWing has broad control of the phone. Its capabilities include:

  • Fake login screens, called overlays, that appear over real banking and cryptocurrency apps to steal passwords.
  • Reading incoming texts for one-time passcodes, and using Accessibility to lift codes, card numbers, and PINs off the screen as they appear.
  • Silently switching the victim’s incoming calls over to the attacker, using a hidden carrier code (*21*) to turn on call forwarding, which knocks out phone-based verification and bank fraud-check calls.
  • Live screen streaming and a keylogger, so operators can watch and control the phone in real time.
  • Switching on the camera and microphone, reading files, stealing contacts and call logs, and tracking location.
  • Pooling infected phones to flood a target website with traffic, a denial-of-service attack.

Buyers choose their own targets, and the malware splits its targeting into two. The apps it watches through Accessibility are baked into each copy, which points to a fresh app being built to order once a buyer picks targets. The overlay targets, by contrast, can be changed later from the control panel without pushing out a new app.

Zimperium counted 82 targeted institutions across several sectors, with a strong focus on Russian financial firms, though that list can shift at any time. The evidence points to the Russian market: one sample used a fake page for Russia’s RuStore. Experts say the operation appears linked to Russian threat actors but stops short of confirming it.

RedWing fits a wider move in Android crime toward on-device fraud, where attackers operate inside the victim’s own banking session instead of stealing a password to use elsewhere.

Researchers flagged a near-identical Russian-market rental kit, Fantasy Hub, last year. The same techniques turn up in Albiriox, aimed at more than 400 finance apps, and Klopatra, which used hidden remote control and fake overlays to drain accounts while victims slept.

RedWing needs no Android exploit. It works only when a user installs the app from outside an official store and approves the prompts, so the first line of defense is what happens at install time. For individuals:

  • Install apps only from official stores, and treat any “update” that arrives by link or text message as suspect.
  • Do not turn on “install from unknown sources,” and do not grant Accessibility, default text-message handler, or battery-exemption access to an app with no clear reason to need it.
  • Watch for an app that hides its icon after it installs, a common trick for staying out of sight.

On managed devices, the same choices can be enforced centrally: block sideloading, and flag apps that request Accessibility or the default-SMS role.

Researchers have also published indicators of compromise for teams that want to hunt for it. Because the kit can be reskinned and its overlay targets swapped from a panel, the same code can keep resurfacing under new names, so app names are a poor way to track it. The behavior is the signal, not the name.



Source link

The Hacker News

The Hacker News

Next Post
Anthropic’s 5 Huge Hires From OpenAI, Google, Microsoft And xAI In 2026

Anthropic’s 5 Huge Hires From OpenAI, Google, Microsoft And xAI In 2026

Recommended.

SK Hynix shares hit multidecade highs, Samsung also surges as chipmakers partner with OpenAI

SK Hynix shares hit multidecade highs, Samsung also surges as chipmakers partner with OpenAI

October 2, 2025
Stocks making the biggest moves after hours: Amazon, Apple, Steel Dynamics and more

Stocks making the biggest moves after hours: Amazon, Apple, Steel Dynamics and more

April 20, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio