RedWing MaaS Offers Android Banking Trojan as Telegram Rental Service
A new Android banking trojan, RedWing, is being offered as a Malware-as-a-Service (MaaS) on Telegram, enabling less sophisticated threat actors to steal banking credentials and one-time passcodes.

A burgeoning threat landscape has a new player: RedWing, an Android banking trojan being peddled as a Malware-as-a-Service (MaaS) on the popular messaging platform Telegram. This illicit offering allows even novice cybercriminals to rent access to a sophisticated tool designed to compromise mobile banking security.
Security researchers at zLabs have identified RedWing as a potentially new variant of the Oblivion banking trojan, a known threat that has been available for rent for some time. The MaaS model lowers the barrier to entry for malicious actors, providing them with a ready-made solution to conduct financial fraud without needing to develop their own malware or possess deep technical expertise.
The primary function of RedWing is to pilfer sensitive banking credentials and one-time passcodes (OTPs) directly from victims' Android devices. This capability is crucial for bypassing multi-factor authentication, a standard security measure designed to protect online accounts. By intercepting OTPs, attackers can gain unauthorized access to user accounts, enabling them to drain funds or conduct fraudulent transactions.
The operation leverages Telegram, a platform often used for clandestine communications and illicit marketplaces, to advertise and distribute the RedWing service. This choice of platform likely aims to reach a wide audience of potential customers while maintaining a degree of anonymity for the operators. The service is reportedly priced affordably, making it accessible to a broad spectrum of cybercriminals.
Researchers note that RedWing's functionality appears to be derived from or closely related to the Oblivion banking trojan. Oblivion itself has been a persistent threat, known for its ability to perform various malicious actions on infected devices, including overlay attacks, SMS interception, and credential theft. The evolution into RedWing suggests a continued development and adaptation of these banking trojan capabilities.
The implications of RedWing's MaaS model are significant. It democratizes advanced mobile banking fraud, potentially leading to an increase in targeted attacks against users of financial applications. The ease of access and relatively low cost mean that even individuals with limited technical skills can engage in sophisticated financial cybercrime.
As RedWing gains traction, users are advised to remain vigilant against phishing attempts and to ensure their Android devices are running the latest security patches. Employing strong, unique passwords for banking apps and being cautious about granting permissions to newly installed applications are also crucial steps in mitigating the risk of infection.
The emergence of RedWing underscores the dynamic nature of the mobile malware landscape and the persistent threat posed by banking trojans. The MaaS model continues to be a successful strategy for malware distributors, enabling the rapid proliferation of malicious tools across the cybercriminal underground.