Android Malware RedWing Is Sold by Subscription on Telegram — 82 Organizations Hit

There’s a new Android trojan on the market, and you don’t need to be a hacker to use it. Security firm Zimperium has identified a malware strain called RedWing that criminals are renting out through Telegram on a subscription basis — essentially malware-as-a-service for anyone willing to pay.

RedWing appears to be a new variant of Oblivion, an Android trojan that surfaced earlier this year, according to Zimperium’s research. Subscribers pay a fee to the Oblivion platform and receive a full toolkit: operational documentation, tutorial videos, and a phishing page generator. That generator helps criminals quickly set up fake download pages that mimic Google Play, Samsung Galaxy Store, or other app marketplaces, tricking victims into installing the malicious app.

Once a victim installs an app carrying RedWing from one of these spoofed storefronts, the attacker gains broad control over the device. The malware uses overlay attacks to create fake banking login screens that capture account credentials. It also intercepts SMS-based one-time passwords, logs keystrokes, steals files and contacts, and can even recruit the infected device into a botnet for future attacks.

Zimperium reports that 82 institutions have already been hit by RedWing attacks. The scale is a direct consequence of how the malware is distributed. By packaging sophisticated attack capabilities into an easy-to-rent service, the developers have removed the technical barrier that used to keep most would-be cybercriminals out.

This is not a new trend so much as an accelerating one. The “crime-as-a-service” model has been growing for years, but each new iteration lowers the bar further. RedWing represents a particularly sharp drop — it specifically targets mobile banking, which means the victims are not just large organizations but individual phone users who authenticated a transaction on a fake login screen. The financial damage from these attacks tends to be harder to recover than a compromised corporate server, because the money moves fast through mule accounts and cryptocurrency mixers.

Zimperium’s researchers note that RedWing follows the broader shift toward service-based cybercrime, where specialization replaces everything-in-house. The platform handles the malware development and infrastructure. The subscribers just need to find victims and collect the money. That division of labor makes mobile financial fraud accessible to a much wider pool of attackers, and 82 confirmed breaches is almost certainly an undercount — many infections go undetected until the money is already gone.