The Rental Model for Mobile Fraud
A new Android malware operation known as RedWing is being offered as a rental service through Telegram, dramatically lowering the barrier for cybercriminals to commit bank fraud. Security researchers at Zimperium’s zLabs identified this operation as a likely variant of the Oblivion malware, a $300 per month rent a malware tool. The service provides subscribers with custom built apps on demand via a Telegram bot, along with tutorials, guides, and referral discounts, meaning no technical expertise is required to launch attacks.
Infection and Capabilities
The attack begins with a phishing link that presents a fake app store page mimicking Google Play, the Galaxy Store, or AppGallery, complete with fabricated ratings and reviews. Once a user installs the app from outside official stores and grants permissions, the malware gains extensive control. RedWing can display fake login screens over legitimate banking apps, intercept SMS one time codes, silently forward the victim’s calls to the attacker using carrier codes, stream the device screen live, and activate the camera and microphone. It also facilitates denial of service attacks by pooling infected devices.
Targeting and Defenses
The malware’s targeting is split into two categories. Accessibility service targets are hardcoded per copy, allowing each buyer to customize targets at purchase. Overlay targets for fake login screens can be changed remotely through the control panel. Zimperium identified 82 targeted institutions with a strong focus on Russian financial firms. The operation shows indicators linking to Russian threat actors. Protection relies on user vigilance: only install apps from official stores, avoid granting Accessibility or default SMS handler permissions to apps without clear justification, and watch for apps that hide their icons after installation.
Source: The Hacker News
