How RedWing rents Android bank fraud as a turnkey Telegram service
RedWing does not introduce a new exploit. It industrializes a set of old Android abuses, overlays, the SMS handler role, and the Accessibility Service, and rents the result on Telegram so that operators with no engineering skill can take over a phone and drain the accounts behind it.
Zimperium's zLabs documented RedWing as a mobile malware-as-a-service platform that looks like a new variant of Oblivion, a rent-a-malware tool previously priced around 300 dollars a month. The selling model is the story as much as the code: subscription tiers, referral discounts, written guides, how-to videos, and a Telegram bot that builds each buyer a custom Android app on demand. The malware is the product; the buyer is a customer. That is what lowers the skill floor for bank fraud.
Why this is a bug-class story, not a single CVE
RedWing chains capabilities that Android grants deliberately, then misuses each one. Understanding the platform means understanding three permission surfaces that were designed for legitimate uses and repurposed for theft.
Nothing here is a zero-day. Every primitive is a documented Android feature turned against the person holding the phone. recurring pattern across Android banking trojans
The three abused surfaces
Overlays. The classic banking-trojan move is to draw a fake login window on top of the real banking or cryptocurrency app. When the victim opens their bank, the malware detects the foreground package and paints a pixel-accurate credential form over it. The password is typed into the attacker's form, not the bank's. This relies on the draw-over-other-apps capability (SYSTEM_ALERT_WINDOW) and on the malware knowing which app is in front.
The SMS handler role. One-time passcodes sent by text are only a defense if the attacker cannot read them. RedWing asks to become the default SMS app, or abuses the Accessibility Service to read notifications, so incoming codes are captured the instant they arrive. That turns SMS-based two-factor authentication from a barrier into a rubber stamp.
The Accessibility Service. Accessibility exists so assistive tools can read the screen and act on the user's behalf. Granted to malware, it becomes a universal input and readout: it lifts card numbers, PINs, and on-screen codes as they render, dismisses security prompts, grants further permissions, and drives the UI without the victim touching the phone. Reporting also describes a call-forwarding trick, dialing a hidden carrier code (*21*) to silently route the victim's incoming calls to the attacker, so a bank's verification callback never reaches the real account holder.
On top of those, RedWing adds custom droppers to get installed past on-device checks, live screen streaming, and a keylogger, giving operators a real-time view and remote control, plus camera, microphone, contacts, call logs, and location. This is full device takeover, not just credential capture. For a related look at how a stolen recovery secret produces lasting account access, see our writeup on Signal recovery key phishing.
The fraud chain, step by step
- A phishing lure delivers a dropper APK, sideloaded outside the official store.
- The dropper coaxes the victim into granting Accessibility, then uses it to self-approve the rest.
- The malware registers as SMS handler and enables draw-over-other-apps.
- The victim opens a banking app; an overlay harvests the login.
- An incoming one-time code is read from SMS or lifted off the screen.
- The operator streams the screen, authorizes the transfer, and forwards calls to suppress the bank's verification.
Reproducing the recognition skill in a lab
Study the behavior, not the malware. You can build the detection reflex safely on an emulator with no real accounts, then practice spotting the same markers on a hardened test device.
- Spin up a disposable Android Virtual Device with no signed-in accounts and no real SIM.
- Write a benign test app that requests Accessibility and
SYSTEM_ALERT_WINDOW, then watch how aggressively the consent flow can be nudged. That is the exact leverage a dropper exploits. - Enumerate what is dangerous:
adb shell settings get secure enabled_accessibility_serviceslists every app with the readout-and-control capability. - Check who holds the SMS role and who can draw overlays:
adb shell cmd role holders android.app.role.SMSandadb shell appops get <pkg> SYSTEM_ALERT_WINDOW.
# apps holding the accessibility readout/control capability adb shell settings get secure enabled_accessibility_services # current default SMS handler (should be your messaging app, nothing else) adb shell cmd role holders android.app.role.SMS # is call forwarding silently enabled? # dial ##21# on the handset to check, then #21# to disable
Defending real users
The defensive habit is to treat Accessibility and the SMS role as the crown jewels of the device, because to this malware they are.
- Install only from the official store, and leave sideloading and unknown-sources disabled.
- Audit Accessibility grants regularly; any app you did not deliberately enable for assistive use should be removed.
- Move off SMS one-time codes where possible. App-based authenticators and passkeys are not captured by an SMS handler.
- Distrust any app that asks for Accessibility to perform an ordinary task. That request is the single strongest signal in the whole chain.
- If compromise is suspected, disconnect the device, check for unexpected call forwarding, revoke sessions from a clean device, and rotate banking credentials.
RedWing matters less as a specific family than as a template: package well-known abuses, wrap them in a subscription and a build bot, and the number of people capable of running bank fraud grows sharply. The malware-as-a-service model is the same one we traced through desktop remote access trojans delivered via package registries. Defenders do not need a new detection for each rebrand; they need to watch the surfaces every one of these platforms depends on. For how we handle live-campaign reporting, see the project ethics and disclosure policy, and start from the writeups index for the rest of the series.
Sources
- Zimperium zLabs. "RedWing: A Mobile Malware-as-a-Service Operation." Read the research
- The Hacker News. "RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service." Read the report
- Zimperium. "Extended Rapid Response: Zero-Day Coverage of Oblivion RAT." Read the analysis
- Android Developers. "AccessibilityService and the SMS role." Read the documentation