top of page

RedWing: Telegram-Powered Android Banking Malware Lowers the Barrier for Cybercrime


Mobile banking malware continues to evolve, but RedWing represents a significant shift in accessibility rather than technical sophistication. Instead of requiring operators to build or customize malware themselves, RedWing is offered as a subscription-based Malware-as-a-Service (MaaS) platform through Telegram, providing criminals with ready-to-use Android banking malware, documentation, video tutorials, and automated malware builders.

The result is a scalable criminal ecosystem where virtually anyone can launch sophisticated banking fraud campaigns with minimal technical expertise.



Phase 1 – Social Engineering Through Fake App Stores


The infection chain begins with phishing links directing victims to convincing fake app store pages that imitate trusted platforms such as Google Play, Galaxy Store, AppGallery, or fully customized storefronts.

These pages display fabricated ratings, reviews, and download statistics to create legitimacy and persuade users to install applications outside official marketplaces.



Phase 2 – Permission Abuse Instead of Exploits


Rather than exploiting Android vulnerabilities, RedWing relies on carefully staged permission requests.

Victims are gradually convinced to:

  • Disable battery optimizations.

  • Enable notifications.

  • Set the malicious app as the default SMS application.

  • Grant Android Accessibility permissions.

These permissions provide the malware with extensive visibility and control over the device without requiring privilege escalation exploits.



Phase 3 – Complete Banking Session Takeover


Once installed, RedWing becomes a comprehensive banking fraud platform capable of:

  • Displaying fake banking login overlays.

  • Capturing usernames and passwords.

  • Intercepting SMS one-time passwords (OTPs).

  • Reading PINs and card information directly from the screen.

  • Activating keylogging.

  • Streaming the victim’s screen live.

  • Executing remote control of the device.

  • Forwarding incoming phone calls using carrier forwarding codes.

  • Accessing contacts, files, camera, microphone, and GPS location.

  • Using compromised devices in distributed denial-of-service (DDoS) attacks.

Instead of simply stealing credentials, attackers can operate directly within the victim’s authenticated banking session.



Phase 4 – Malware-as-a-Service at Scale


One of RedWing’s most concerning aspects is its commercial business model.

Operators offer:

  • Subscription plans.

  • Referral discounts.

  • Step-by-step deployment guides.

  • Video tutorials.

  • Telegram bots that automatically generate customized malware samples.

Each customer receives malware tailored to their selected banking targets, while phishing overlays can later be modified remotely without redistributing the application.

This dramatically lowers the barrier to entry for financially motivated cybercriminals.



Defense Measures


Organizations and users should adopt a layered defense strategy:

  • Install applications exclusively from official app stores.

  • Disable installation from unknown sources whenever possible.

  • Never grant Accessibility or default SMS permissions unless absolutely necessary.

  • Carefully review every permission requested during installation.

  • Monitor devices for applications that hide their launcher icon after installation.

  • Deploy Mobile Threat Defense (MTD) or Mobile Device Management (MDM) solutions capable of detecting abusive permissions and sideloaded applications.

  • Educate users about fake application stores and phishing-based mobile attacks.



Conclusions


RedWing highlights how Android banking malware is becoming increasingly service-oriented. By combining convincing social engineering, extensive abuse of legitimate Android permissions, and a fully managed Telegram-based distribution model, attackers have transformed sophisticated banking malware into a rentable criminal service.

As these MaaS ecosystems continue to mature, organizations can no longer rely solely on malware signatures or application names. The most reliable indicators are behavioral: unauthorized Accessibility usage, suspicious permission combinations, remote-control capabilities, and unusual banking activity.

The evolution of RedWing demonstrates that the future of mobile banking fraud is not necessarily more advanced malware—but malware that is easier than ever for criminals to deploy at scale.




 
 
 
bottom of page