RedWing: The Rent-a-Fraud Kit Turning Android Phones Into Bank Robberies

A new Android malware sold on Telegram lets almost anyone hijack a victim's phone, steal banking logins and grab the codes meant to keep accounts safe.

ThreatVectr Newsdesk· 3 min read
Full-frame overhead photograph of an unbranded Android-style smartphone lying on a dark desk, screen glowing red with abstract geometric login form shapes, fain
Share

Key points

  • Zimperium's zLabs research team disclosed RedWing, a new Android banking malware being rented out on Telegram to would-be fraudsters.
  • Zimperium says RedWing appears to be a fresh variant of Oblivion, an earlier rent-a-malware kit that costs about $300 a month.
  • The malware takes remote control of infected Android phones and steals banking logins plus the one-time codes banks send to confirm payments.
  • The operation is sold as Malware-as-a-Service, meaning buyers do not need to write any code to run bank fraud at scale.

There is a new entry in the growing catalogue of Android banking malware, and this one comes with a price tag and a customer-service channel.

It is called RedWing. Researchers at Zimperium's zLabs, the mobile-security firm that first documented it, describe RedWing as a ready-made fraud kit rented out on Telegram. Buyers do not need to know how to code. They pay, they point, they steal.

The operation was first reported by The Hacker News.

What does RedWing actually do to a phone?

It hands the attacker the keys. Once installed on an Android device, RedWing can watch what the victim types, capture their banking username and password, and grab the one-time passcodes, meaning the short numeric codes a bank texts you to approve a payment, that are supposed to stop this exact kind of theft.

With those pieces in hand, a criminal can log into someone's mobile banking app from their own machine, approve a transfer, and drain the account before the victim notices.

Zimperium says RedWing looks like a rebrand or an evolution of an earlier kit called Oblivion, which has been rented on underground channels for roughly $300 a month. In other words, this is not a brand-new invention. It is a fresh coat of paint on a business model that already works.

Why the Telegram angle matters

Malware-as-a-Service, often shortened to MaaS, is the criminal version of a software subscription. You pay a monthly fee, you get access to a working tool, and someone else handles the updates. Telegram, the messaging app, has become the shop counter for these deals because it is easy to use and hard to police.

The effect is that Android bank fraud is no longer the preserve of skilled developers. A person with a few hundred dollars and bad intentions can now run the kind of attack that used to require a small team.

Compare it to the early days of phishing kits on the web, where criminals send fake emails to trick people into typing passwords into lookalike sites. Once those kits went on sale, the volume of phishing exploded. Mobile banking fraud is walking the same path.

What ordinary Android users should do

The practical advice is boring and it works.

Install apps only from Google Play, and even then check the developer name before tapping install. Be suspicious of any app, no matter how convincing, that asks for Accessibility Services permissions, which are the powerful controls Android uses to help people with disabilities and which malware abuses to read screens and tap buttons on your behalf.

If your banking app suddenly asks you to reinstall it, or a text message pushes you to a link to update it, stop. Go to the bank's official app store page yourself.

And if money moves out of your account without your say-so, call the bank straight away. Card networks and banks in most countries can freeze and often reverse fraudulent transfers if you flag them quickly.

RedWing is not a novel piece of engineering. It is a familiar Android overlay-and-accessibility attack, dressed up, rebranded and packaged for rental. That is precisely what makes it dangerous. The barrier to entry just got lower again.

© 2026 Threat Vectr