← Back to blog

RedWing MaaS Brings Android Banking Fraud to Telegram

A new Android malware-as-a-service called RedWing is being offered on Telegram, enabling low-skill attackers to perform banking fraud. The service allows remote control of victims' devices to steal credentials and intercept 2FA codes.

TL;DR

  • RedWing is a new Android malware sold as a rental service on Telegram.
  • It enables remote device takeover and theft of banking credentials.
  • Attackers can bypass 2FA by capturing real-time SMS codes.
  • Priced similarly to other tools like Oblivion at $300/month.
  • Organizations should enforce app vetting and network monitoring.

Cybercriminals now have access to a powerful new tool for conducting mobile banking fraud. RedWing, a recently discovered Android malware-as-a-service (MaaS), is being marketed through Telegram channels, making it easy for even novice threat actors to compromise user devices and steal sensitive financial data.

Security researchers from Zimperium's zLabs identified the operation, noting its resemblance to the previously known Oblivion MaaS. Like its predecessors, RedWing lowers the barrier to entry for cybercrime by offering plug-and-play capabilities that include full remote access to infected smartphones and interception of two-factor authentication codes.

How RedWing Operates

  • RedWing provides a complete interface for remote control of compromised Android devices.
  • The malware captures banking login credentials entered on victim devices.
  • It intercepts SMS-based 2FA codes in real time, neutralizing account protection.
  • The service is rented monthly, targeting financially motivated, less technically skilled criminals.

Implications for Enterprise Security

  • Organizations must monitor employee devices for signs of unauthorized access tools.
  • Mobile threat defense solutions should detect and block known MaaS command-and-control traffic.
  • User awareness training should emphasize risks of installing apps from untrusted sources.
  • Network segmentation can limit lateral movement if a device is compromised.

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

RedWing MaaS Brings Android Banking Fraud to Telegram — Agent Breach Blog | Agent Breach