RedWing, a newly discovered Android malware operation, is being distributed as a malware-as-a-service (MaaS) package through Telegram channels. The threat allows attackers to remotely compromise victim devices, extract banking credentials, and intercept one-time passwords that protect financial accounts.

Zimperium's zLabs attributed RedWing to developers operating what appears to be an evolution of Oblivion, a known rent-a-malware tool that costs approximately $300 monthly. This pricing model indicates the malware targets both opportunistic criminals and organized fraud rings lacking sophisticated development capabilities.

RedWing's functional scope extends beyond basic credential theft. The malware achieves device takeover capabilities, giving attackers near-complete control over infected phones. This access allows operators to bypass multi-factor authentication protections by capturing time-sensitive one-time passwords sent via SMS or authenticator apps. Once attackers obtain banking credentials and intercept MFA codes, they can directly access victim accounts and execute unauthorized transfers.

The Telegram distribution channel reveals a shift in malware economics. By packaging banking trojans as rental services, threat actors lower the barrier to entry for less technical criminals. This approach mirrors successful ransomware-as-a-service operations, converting complex malware development into a subscription-based criminal product.

Android remains an attractive target for banking fraud operations because users frequently store sensitive financial data on mobile devices and mobile banking applications lack the endpoint protections standard on desktop systems. The prevalence of Android globally and fragmented security updates across device manufacturers create a persistent attack surface.

Organizations and financial institutions should implement device management controls limiting installation of unauthorized applications. Individual users face risk through email phishing, malicious advertisements, and compromised third-party app stores. Victims should monitor financial accounts for unauthorized activity and enable transaction alerts through their banking providers. Security researchers recommend applying available Android patches promptly and