Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

RedWing Android Spyware Sold as a Service on Telegram

July 8, 2026

Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters

July 8, 2026

How Faster Cyber-Attacks Are Reshaping Cybersecurity Strategy

July 8, 2026
Facebook X (Twitter) Instagram
Wednesday, July 8
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»RedWing Android Spyware Sold as a Service on Telegram
News

RedWing Android Spyware Sold as a Service on Telegram

Team-CWDBy Team-CWDJuly 8, 2026No Comments2 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A new Android spyware strain has been observed being rented out to criminals through Telegram, giving even low-skilled attackers the tools to hijack phones and steal banking credentials, researchers have found.

Zimperium’s zLabs named the malware RedWing and described it as a polished malware-as-a-service (MaaS) operation with seller documentation, tutorial videos and a subscription model.

The firm linked it to Russian threat actors and said many of its samples currently slip past conventional security tools.

Built to Order on Telegram

What set RedWing apart was how easy it was to buy and deploy. A Telegram bot built and obfuscated the malicious APK for the customer, while a referral scheme offered discounts for spreading it further.

Operators could also generate fake app-store pages, mimicking Google Play, the Galaxy Store, AppGallery or Russia’s RuStore, complete with bogus ratings and download counts to lure victims into installing it.

Once installed, RedWing walked the victim through a series of permission prompts dressed up as routine setup, coaxing them into granting the access it needed, including Android’s accessibility service and control of the SMS inbox. From there, it could hide its own icon and run quietly in the background.

Read more on Android banking trojans: Rokarolla Trojan Combines Banking Fraud With Device Surveillance

Overlays, Call Forwarding and DDoS

RedWing’s core trick was credential harvesting through fake overlays. When a victim opened a targeted banking or cryptocurrency app, it dropped a convincing login screen on top to steal their details, with operators able to add new targets from the control panel.

zLabs counted 82 targeted institutions, most of them Russian financial firms.

To defeat two-factor authentication (2FA), the malware intercepted SMS codes and could silently forward the victim’s incoming calls to an attacker’s number, sidestepping the confirmation calls banks use to check for fraud.

It also provided live VNC screen control, keylogging and covert recording from the camera and microphone. Infected phones could even be pooled into a botnet for denial-of-service (DDoS) attacks.

Zimperium said RedWing appeared to be a new variant of an Android malware family known as Oblivion, based on shared droppers and overlays.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleUnpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters
Team-CWD
  • Website

Related Posts

News

Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters

July 8, 2026
News

Threat Actors Uses Agentic AI to Rapidly Compromise Cloud Target

July 8, 2026
News

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

July 8, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Chronology of a Skype attack

February 5, 2026

Watch out for SVG files booby-trapped with malware

September 22, 2025

AI-powered financial scams swamp social media

September 11, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.