A new malware-as-a-service (MaaS) operation targeting Android users has been identified by researchers at Zimperium’s zLabs. Dubbed RedWing, the operation is distributed and rented through Telegram, packaging sophisticated bank-fraud capabilities into a service accessible to low-skill threat actors.

What RedWing Does

RedWing gives operators the ability to take over a victim’s Android device, harvest banking credentials, and intercept one-time passcodes (OTPs) used to protect financial accounts. By automating these steps into a rental package, the operation removes the technical barriers that would ordinarily limit this type of attack to more capable adversaries.

Oblivion Lineage

According to Zimperium’s zLabs, RedWing appears to be a new variant of Oblivion, an existing Android rent-a-malware toolkit previously available for approximately $300 per month. The connection suggests RedWing is part of an evolving lineage of commoditized mobile banking trojans rather than an entirely novel codebase.

Telegram as a Distribution Channel

The use of Telegram as a storefront and command channel is consistent with broader trends in the cybercriminal ecosystem, where the platform’s pseudonymity and large user base make it a common venue for advertising and operating MaaS tools. RedWing follows this model, offering a ready-made fraud service to anyone willing to pay the rental fee.

Implications for Defenders

The commoditization of Android bank-fraud tooling raises the threat level for financial institutions and their customers. Security teams should consider the following mitigations:

  • Enforce mobile threat defense (MTD) solutions on devices used for banking or corporate access.
  • Monitor for anomalous OTP interception patterns at the authentication layer.
  • Educate users about sideloading risks, as MaaS payloads are typically distributed outside official app stores.
  • Review fraud detection rules to account for automated, tool-assisted account takeover behavior.

Zimperium’s zLabs has not publicly released full technical indicators at this time, but organizations with Android device fleets should treat this as an active threat given the low barrier to entry RedWing provides to potential attackers.