Zimperium zLabs uncovered and documented RedWing, an Android Malware-as-a-Service platform marketed through Telegram channels that lets low-skill criminals run complete banking fraud operations. The operation, disclosed on July 7, 2026, marks the evolution of the "rent-a-malware" model already embodied by Oblivion: an ecosystem where mobile attacks no longer require development skills, just a subscription and a target. The differentiator is functional completeness, not technical sophistication: RedWing exploits no zero-day vulnerabilities, instead abusing legitimate Android services to gain total device control.
- RedWing is a MaaS platform sold on Telegram with subscription tiers, referral discounts, and video tutorials, generating custom APKs for each buyer via bot.
- Infection activates through sideloading from fake app store pages: the Dropper Constructor mimics Google Play, Galaxy Store, AppGallery, or custom templates with fake ratings and reviews.
- The malware requires the Android Accessibility service and installs as the default SMS handler, gaining overlay, keylogging, OTP interception, screen streaming, and remote control via specific C2 commands.
- Zimperium identified 82 target institutions, with a heavy focus on Russian financial entities; one analyzed sample used a fake RuStore page, Russia's official app store, as a lure.
The Commercial Model: When Malware Gets a Marketing Department
RedWing's novelty lies not in the code itself, but in its distribution architecture. According to Zimperium's analysis, the platform operates on a subscription model with differentiated tiers, referral discounts, and technical support that includes guides and video tutorials. A Telegram bot lets buyers generate custom APKs on demand, performing continuous re-skinning that renders tracking by app name or static signature ineffective.
This mass-customization mechanism poses a concrete problem for reputation-based defenses: when every campaign has its own package, signature-based detection loses predictive power. Zimperium reports that a substantial number of droppers and payloads generated through the platform evade conventional security tools, not through advanced obfuscation, but through the sheer speed of artifact rotation.
The comparison with Oblivion, a rent-a-malware tool documented earlier in 2026 at roughly $300 per month, is explicit in Zimperium's research: RedWing shares similarities in the dropper stage and overlays used, suggesting evolutionary continuity rather than clean-slate development. The exact pricing of RedWing's subscription tiers is not specified in available sources.
Social Engineering as the Only Vector: No Exploits, All Permissions
RedWing requires no Android vulnerabilities to operate. Infection starts with phishing links that open fake app store pages: the Dropper Constructor can mimic the interface of Google Play, Galaxy Store, AppGallery, or custom templates, complete with fake ratings, reviews, and download counts. One sample analyzed by Zimperium specifically used a fake RuStore page, Russia's official app store, as a lure.
Once the APK is installed, the Onboarding Constructor guides the user through a sequence of permission requests presented via WebView with a card-style interface (Cards): disable battery optimization, set the app as the default SMS handler, grant notification access. The critical step is the request for the Android Accessibility service, which turns the malware into an agent with complete device control: screen reading, touch injection, remote action execution.
This architecture, based solely on social engineering and abuse of legitimate services, makes the malware theoretically detectable but practically effective: the average user cannot distinguish between an Accessibility permission request from a fake banking app and one from a legitimate app, especially when presented in the context of a seemingly official store.
RAT Capabilities: Remote Control and Real-Time Surveillance
The C2 commands identified by Zimperium document the completeness of remote control. The RAT Admin panel lets operators send specific instructions:
The silent call forwarding functionality via hidden USSD code *21* warrants specific attention: this mechanism neutralizes anti-fraud countermeasures based on phone verification and voice 2FA, diverting calls to an attacker-controlled number before they reach the victim. Dynamic overlays can also be modified from the C2 panel without redistributing a new app, allowing real-time target updates.
Beyond banking theft, RedWing includes DDoS capabilities via pools of infected devices, turning compromised handsets into a resource for parallel network attacks. Control occurs through VNC-style screen streaming, with commands covering remote opening of apps and URLs: every infected device is, in effect, an endpoint managed as an asset in a criminal enterprise infrastructure.
What to Do Now
- Block installation from unknown sources on corporate Android devices via MDM policy, blocking sideloading unless explicitly authorized for specific apps.
- Systematically deny Accessibility, SMS, and battery optimization permission requests from apps not verified through official stores, regardless of the purported installation source.
- Implement multi-factor authentication not based on SMS or voice calls for access to corporate financial services, since RedWing intercepts both channels and forwards calls via USSD.
- Segment mobile device access to the corporate network, treating Android endpoints as a high-risk perimeter regardless of the presence of traditional EDR solutions.
"Organizations can no longer afford to treat mobile as a secondary risk. It has become one of the most vulnerable enterprise attack surfaces, with every compromised device representing a potential entry point into the corporate environment"
— Kern Smith, Vice President of Global Solutions, Zimperium
The Problem with Traditional Defenses
RedWing exposes a paradox in current mobile defenses: the malware is technically detectable but operationally invisible. It uses no exploits, requires no root, modifies no system files: it simply asks for permissions the user grants voluntarily, presenting a familiar interface and a carefully crafted onboarding flow. Conventional security solutions, designed to detect anomalous post-compromise behavior, find themselves chasing a threat that rotates signatures faster than signatures can be updated.
For the financial sector, the combination of dynamic overlays and call forwarding represents a direct challenge to layered anti-fraud controls. When the attacker can intercept SMS OTPs, read screen content in real time, and divert verification calls, the chain of trust shifts entirely to the endpoint device: if that is compromised, every additional factor becomes just another data point to capture.
The identity of RedWing's operators remains unconfirmed: Zimperium indicates apparent links to Russian threat actors but stops short of definitive attribution. The fact that matters for defense is that operator geography matters less than service geography: Telegram and the MaaS infrastructure make the point of origin irrelevant for protecting the target.
FAQ
Does RedWing need root or exploits to work?
No. According to Zimperium's analysis, RedWing operates exclusively through sideloading and user approval of permissions, without exploiting zero-day vulnerabilities or requiring root access on the device.
Can it be installed from official stores?
Sources do not document distribution via Google Play or other official stores. The identified infection mechanism uses fake app store pages that mimic legitimate store interfaces to induce sideloading.
Is there an iOS version of RedWing?
The dossier does not document iOS versions. All available analyses refer exclusively to the Android platform.
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/07/redwing-maas-packages-android-bank.html
- https://www.rapid7.com/blog/post/so-ditl-day-with-your-vector-command-red-team-pod
- https://zimperium.com/blog/redwing-a-mobile-malware-as-a-service-operation
- https://www.aol.com/articles/zimperium-zlabs-uncovers-redwing-mobile-130000000.html
- https://news.cybertechworld.co.in/index.php/2026/07/07/redwing-maas-packages-android-bank-fraud-as-a-telegram-rental-service/
- https://zimperium.com/resources/zimperium-zlabs-uncovers-redwing-mobile-malware-as-a-service-platform-powering-full-android-device-compromise
- https://zimperium.com/blog/redwing-a-mobile-malware-as-a-service-operation?hs_amp
- https://thehackernews.com/
- https://thehackernews.com/p/upcoming-hacker-news-webinars.html
- https://thehackernews.com/search/label/Threat%20Intelligence
- https://thehackernews.com/search/label/Vulnerability
- https://thehackernews.com/search/label/Cyber%20Attack