RedWing packages a complete Android banking fraud toolkit as a Telegram rental service letting low skill criminals deploy fake overlays steal one time passcodes forward calls and stream victim screens in real time across 82 targeted financial institutions.
Consider a criminal with no coding skill at all opening a Telegram channel typing a few messages and within minutes receiving a custom Android app already configured to impersonate a specific bank. The app looks legitimate. It requests permissions one at a time in ways that feel routine.
And once installed it can drain a banking account while the victim watches what appears to be a perfectly normal transaction screen. This exact service just landed on security researchers radar under the name RedWing and it represents a genuinely alarming step forward in how accessible professional grade mobile banking fraud has done.
RedWing Android Fraud Explained
Zimperium’s zLabs team discovered RedWing operating as a full Malware as a Service operation rented through Telegram. The kit offers subscription tiers complete with referral discounts usage guides and tutorial videos meaning a buyer needs zero technical knowledge to deploy a functional banking trojan against real victims. A Telegram bot handles the entire build process on demand generating a custom application already configured for whichever targets the buyer specifies.

(source: Zimperium zLabs)

(source: Zimperium zLabs)

(source: Zimperium zLabs)
Researchers describe RedWing as appearing to share significant code lineage with an earlier rental kit called Oblivion which previously surfaced priced at around three hundred dollars per month. The connection suggests an existing criminal development team rather than a newcomer building from scratch which explains the operational maturity visible throughout the kit’s design.

(source: Zimperium zLabs
Infection begins with a phishing link leading to a fake application store page. The dropper builder included in the kit can clone the appearance of Google Play the Samsung Galaxy Store and Huawei AppGallery or generate entirely custom pages complete with fabricated star ratings fake user reviews and falsified download counts.

(source: Zimperium zLabs)
Once a victim reaches the page the social engineering flow pushes them toward installing the application from outside any official store and approving a series of permissions staged to feel unrelated and routine rather than alarming.

(source: Zimperium zLabs)

(source: Zimperium zLabs)
The permission staging represents one of the more carefully designed elements of the entire kit. A harmless looking web page stays visible in the background while popup cards appear sequentially requesting battery optimization exemption then default SMS handler status then notification access.
The critical request for Android Accessibility Service access gets blended into this sequence framed in language suggesting it serves a normal functional purpose. Once Accessibility access lands the application gains the capability to read any content appearing on screen control interface elements and observe everything the victim types.

(source: Zimperium zLabs)
With that combination of permissions active RedWing deploys fake login overlays that appear on top of genuine banking and cryptocurrency applications capturing credentials as victims type them believing they are authenticating to their real bank.

(source: Zimperium zLabs)
Incoming text messages get read immediately for one time passcodes before any banking notification can appear to the user.

(source: Zimperium zLabs)
The kit also deploys a hidden call forwarding code specifically the carrier level command twenty one which routes incoming calls to attacker controlled numbers knocking out any phone based verification calls the victim’s bank might place to confirm suspicious transactions.
Live screen streaming lets operators watch victim activity in real time while a keylogger captures everything typed anywhere on the device.

(source: Zimperium zLabs)

(source: Zimperium zLabs)
Camera and microphone access contact lists call logs and location data round out a surveillance package that leaves essentially nothing private on an infected device.

(source: Zimperium zLabs)
A denial of service capability lets operators pool infected devices to flood external targets with traffic adding a separate criminal service to the kit revenue potential.
RedWing Targeting Detection Signals And Mitigation Guide
Zimperium identified 82 targeted financial institutions inside analyzed samples with a strong concentration on Russian financial firms pointing toward a primary Russian market focus though the overlay targets can shift remotely from the operator control panel without pushing a new application version to victims.
A fake RuStore page found in one analyzed sample reinforces that geographic focus and researchers note circumstantial evidence pointing toward Russian threat actors behind the operation without claiming a definitive attribution.
The behavior based detection challenge with RedWing stems from the fact that each build gets generated fresh through the Telegram bot meaning application names package identifiers and visual appearances shift constantly. Tracking by app name produces unreliable results since the same underlying code resurfaces immediately under a new label.
The behavioral signals rather than the label provide the reliable detection anchor. Any application that requests Accessibility access default SMS handler status and battery optimization exemption simultaneously and shortly after sideload installation should trigger immediate scrutiny regardless of what name appears on the icon.
Protection starts entirely at the install gate since RedWing requires no Android vulnerability to function and works only when a user installs from outside an official store and approves the permission sequence. Never install applications delivered through links in messages or pushed by popups claiming mandatory updates.
Treat any request to enable unknown sources installation as a red flag requiring verification through official channels rather than a prompt to approve quickly. Never grant Accessibility access or default SMS handler status to an application that cannot clearly justify why it needs those capabilities for its stated purpose.
Managed device environments can enforce these protections centrally through mobile device management policies that block sideloading entirely and flag applications requesting Accessibility or default SMS roles outside approved lists.
The criminal ecosystem producing kits like RedWing has matured to the point where the final payload quality rivals capabilities previously available only to state level threat actors while the barrier to entry for buyers dropped to a monthly subscription fee and a Telegram message.