Security researchers at Zimperium have identified RedWing, a sophisticated Android spyware operation distributed through Telegram as a commercial subscription service with apparent links to Russian threat actors. The malware-as-a-service platform includes complete documentation, tutorial videos, a referral program, and an automated bot that generates custom malicious applications on demand, lowering the barrier to entry for attackers with minimal technical expertise.
RedWing infections begin with phishing links that direct victims to fake app store pages mimicking Google Play, Samsung Galaxy Store, or Huawei AppGallery, complete with fabricated ratings and reviews. Once installed, the dropper guides victims through a series of permission requests disguised as routine setup steps, including disabling battery optimization, setting the app as the default SMS handler, and enabling notification access. These permissions grant the malware deep system-level control over the infected device.
The spyware deploys fake login screens over legitimate banking and cryptocurrency applications to capture credentials, intercepts incoming text messages to steal one-time authentication codes, and abuses Android's Accessibility Service to extract PINs, card numbers, and CVV codes directly from the screen. RedWing also silently enables call forwarding using hidden carrier codes, redirecting all incoming calls to attacker-controlled numbers and effectively bypassing phone-based two-factor authentication and fraud prevention systems.
Beyond credential theft, RedWing provides extensive surveillance capabilities including remote activation of device cameras and microphones with configurable recording durations, live screen streaming via VNC, real-time keylogging, file system access, and location tracking. Zimperium identified 82 targeted institutions across multiple sectors with heavy focus on Russian financial firms, though operators can update target lists remotely without distributing new application versions. The malware can also transform infected devices into a botnet for launching coordinated distributed denial-of-service attacks.
Organizations and users should implement strict controls against sideloading applications from unofficial sources and carefully scrutinize permission requests, particularly for Accessibility Service and default SMS handler access. On managed devices, administrators should block sideloading centrally and configure automated alerts for suspicious permission requests. Any application that hides its icon after installation should be treated as malicious, and behavioral monitoring provides more reliable detection than application names, which operators can easily change through the control panel.
Source: https://securityaffairs.com/194942/malware/telegram-hosted-redwing-malware-lets-anyone-rent-android-spyware-tools.html


