A newly emerging threat called RedWing malware is gaining traction on Telegram, where it is offered as a ready-to-use service for bank fraud. This tool enables even those with minimal technical skills to compromise a victim’s Android phone, extract banking credentials, and intercept one-time codes meant for account protection.
The Mechanics of RedWing Malware
Research by Zimperium’s zLabs, who identified this operation, indicates that RedWing is likely a new iteration of the Oblivion malware, previously available for $300 a month. This malware is marketed as a comprehensive package, complete with subscription options, discounts for referrals, and instructional content, eliminating the need for buyers to have malware development skills. A Telegram bot personalizes the application for each user upon request.
Conventional security tools often fail to detect the droppers and payloads created by RedWing. The infection process begins with a phishing link that directs users to a counterfeit app store page, which can imitate platforms like Google Play or the Galaxy Store. These pages, complete with fictitious ratings and download statistics, encourage users to install the app and grant necessary permissions.
Capabilities and Threats of RedWing
Once installed, RedWing gradually requests permissions, leveraging Android’s Accessibility service to monitor and manipulate the device. Its features include fake login overlays to capture passwords from banking and cryptocurrency apps, reading texts to intercept security codes, and using hidden codes to reroute phone calls. This enables attackers to bypass phone-based verifications and execute fraudulent transactions.
Furthermore, RedWing can perform live screen streaming, log keystrokes, and activate a device’s camera and microphone. It can also access files, contacts, and call logs, and even track the phone’s location. This malware can pool compromised devices to conduct denial-of-service attacks, overwhelming targeted websites with traffic.
Targeting and Prevention Strategies
RedWing allows its users to select specific targets, with its current focus being Russian financial institutions. Although the operation seems to be associated with Russian cyber actors, definitive links have not been established. This malware is part of a broader trend in Android-related crimes, shifting towards on-device fraud rather than merely stealing credentials for later use.
To safeguard against RedWing, individuals should only download apps from official stores and treat unsolicited updates with suspicion. It’s crucial to avoid enabling installations from unknown sources and granting unnecessary permissions to apps. Managed devices can enforce these precautions centrally by blocking sideloading and flagging apps requesting excessive permissions.
Security researchers have shared indicators of compromise to aid in detecting RedWing. The malware’s ability to be reskinned and have its overlay targets altered makes it challenging to track by name, emphasizing the importance of monitoring behavior over app names.
