← All articles

RedWing rents out ready-made Android banking malware through a Telegram bot

Zimperium found RedWing, an Android bank-fraud operation rented out on Telegram as a finished product, complete with subscription tiers, guides, and a bot that builds each buyer a custom malicious app on demand, so no coding skill is needed. It spreads through phishing links leading to fake app-store pages that convincingly imitate Google Play and other stores. Once installed and granted permissions, it overlays fake login screens on real banking and crypto apps, reads incoming texts and screen content to capture one-time codes, and can silently forward the victim's calls to defeat phone-based verification. It also offers live screen control, keylogging, and camera access.

Check
Remind users to install apps only from official stores, distrust app updates arriving by link or text, and never grant Accessibility or default-texting access to an app without a clear reason.
Affected
Android users who sideload apps and approve broad permissions; RedWing then overlays fake login screens, steals one-time codes from texts and the screen, and forwards calls to defeat phone-based verification.
Fix
Keep installs restricted to official app stores, avoid enabling unknown sources, review and limit Accessibility and default-messaging permissions, use app-based rather than SMS authentication, and deploy mobile threat defense on banking devices.