RedWing Android Spyware Sold as a Service on Telegram

Written by

A new Android spyware strain has been observed being rented out to criminals through Telegram, giving even low-skilled attackers the tools to hijack phones and steal banking credentials, researchers have found.

Zimperium's zLabs named the malware RedWing and described it as a polished malware-as-a-service (MaaS) operation with seller documentation, tutorial videos and a subscription model.

The firm linked it to Russian threat actors and said many of its samples currently slip past conventional security tools.

Built to Order on Telegram

What set RedWing apart was how easy it was to buy and deploy. A Telegram bot built and obfuscated the malicious APK for the customer, while a referral scheme offered discounts for spreading it further.

Operators could also generate fake app-store pages, mimicking Google Play, the Galaxy Store, AppGallery or Russia's RuStore, complete with bogus ratings and download counts to lure victims into installing it.

Once installed, RedWing walked the victim through a series of permission prompts dressed up as routine setup, coaxing them into granting the access it needed, including Android's accessibility service and control of the SMS inbox. From there, it could hide its own icon and run quietly in the background.

Read more on Android banking trojans: Rokarolla Trojan Combines Banking Fraud With Device Surveillance

Overlays, Call Forwarding and DDoS

RedWing's core trick was credential harvesting through fake overlays. When a victim opened a targeted banking or cryptocurrency app, it dropped a convincing login screen on top to steal their details, with operators able to add new targets from the control panel.

zLabs counted 82 targeted institutions, most of them Russian financial firms.

To defeat two-factor authentication (2FA), the malware intercepted SMS codes and could silently forward the victim's incoming calls to an attacker's number, sidestepping the confirmation calls banks use to check for fraud.

It also provided live VNC screen control, keylogging and covert recording from the camera and microphone. Infected phones could even be pooled into a botnet for denial-of-service (DDoS) attacks.

Zimperium said RedWing appeared to be a new variant of an Android malware family known as Oblivion, based on shared droppers and overlays.

What’s Hot on Infosecurity Magazine?