AI Security AI安全 3d ago Updated 2d ago 更新于 2天前 42

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service RedWing MaaS将Android银行欺诈包装为Telegram租赁服务

RedWing is a sophisticated Android banking malware-as-a-service (MaaS) operation rented via Telegram, enabling low-skill criminals to conduct full account takeovers. The malware utilizes social engineering to mimic official app stores and tricks users into granting high-privilege permissions, particularly Android's Accessibility service. Capabilities include live screen streaming, keylogging, SMS interception for OTPs, call forwarding to bypass verification, and overlay attacks against banking a RedWing是一种通过Telegram以订阅模式出租的Android银行欺诈恶意软件即服务(MaaS),无需编程技能即可使用。 该工具利用伪造的应用商店页面诱导用户侧载应用,并通过伪装成常规操作的弹窗获取高权限(如无障碍服务和默认短信处理)。 RedWing具备屏幕覆盖窃取凭证、读取OTP验证码、静默呼叫转移及实时屏幕流控等能力,旨在绕过传统安全检测。 攻击目标主要集中在俄罗斯金融机构,体现了移动犯罪向“设备内欺诈”转变的趋势,即直接在受害者会话中操作而非仅窃取凭据。

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • RedWing is a sophisticated Android banking malware-as-a-service (MaaS) operation rented via Telegram, enabling low-skill criminals to conduct full account takeovers.
  • The malware utilizes social engineering to mimic official app stores and tricks users into granting high-privilege permissions, particularly Android's Accessibility service.
  • Capabilities include live screen streaming, keylogging, SMS interception for OTPs, call forwarding to bypass verification, and overlay attacks against banking apps.
  • The operation represents a shift toward on-device fraud, allowing attackers to operate within active banking sessions rather than just stealing credentials.
  • Defense relies heavily on preventing sideloading, restricting Accessibility permissions, and monitoring for behavioral anomalies rather than relying solely on app signatures.

Why It Matters

This incident highlights the dangerous trend of "democratizing" cybercrime through MaaS models, where complex malware is packaged as easy-to-use subscription services accessible to non-technical actors. For security practitioners, it underscores the critical risk posed by Android's Accessibility API when abused by malicious applications, necessitating stricter permission controls and behavioral detection strategies.

Technical Details

  • Distribution and Installation: Infection begins with phishing links leading to fake app-store pages (mimicking Google Play, Galaxy Store, or RuStore) that coerce users into sideloading and approving permissions.
  • Permission Abuse: The malware stages permission requests to appear routine, specifically targeting Android Accessibility services, default SMS handler status, and battery optimization exemptions to maintain persistence and control.
  • Data Exfiltration and Control: Once installed, RedWing employs overlays to steal login credentials, reads incoming SMS for one-time passcodes, and uses Accessibility features to extract PINs and card numbers directly from the screen.
  • Advanced Evasion: Features include silent call forwarding via carrier codes (21) to intercept verification calls, live screen streaming, keylogging, and the ability to dynamically update target applications via a remote control panel without requiring app updates.
  • Targeting Scope: Researchers identified 82 targeted institutions, primarily in the Russian financial sector, though the toolkit allows buyers to customize targets easily.

Industry Insight

  • Shift in Detection Paradigms: Traditional signature-based detection is insufficient for MaaS malware that can be reskinned and dynamically reconfigured. Security teams must prioritize behavioral analysis, particularly monitoring for unauthorized use of Accessibility services and unexpected call forwarding.
  • User Education Criticality: Since RedWing requires user interaction (sideloading and permission approval), organizations must reinforce training on the dangers of installing apps from unofficial sources and the risks of granting excessive permissions to unknown applications.
  • Regulatory and Platform Responsibility: App stores and device manufacturers need to enhance safeguards against fake storefronts and implement stricter default restrictions on Accessibility permissions for newly installed or unverified applications to mitigate on-device fraud risks.

TL;DR

  • RedWing是一种通过Telegram以订阅模式出租的Android银行欺诈恶意软件即服务(MaaS),无需编程技能即可使用。
  • 该工具利用伪造的应用商店页面诱导用户侧载应用,并通过伪装成常规操作的弹窗获取高权限(如无障碍服务和默认短信处理)。
  • RedWing具备屏幕覆盖窃取凭证、读取OTP验证码、静默呼叫转移及实时屏幕流控等能力,旨在绕过传统安全检测。
  • 攻击目标主要集中在俄罗斯金融机构,体现了移动犯罪向“设备内欺诈”转变的趋势,即直接在受害者会话中操作而非仅窃取凭据。

为什么值得看

这篇文章揭示了恶意软件即服务(MaaS)模式的进一步成熟,展示了低技能犯罪分子如何通过租赁服务轻松实施复杂的银行欺诈。对于安全从业者和企业而言,理解这种基于行为而非签名的新型威胁模型,以及其利用系统权限进行深度控制的机制,对于更新防御策略至关重要。

技术解析

  • 分发与安装机制:通过钓鱼链接引导至伪造的Google Play、Galaxy Store或RuStore页面,页面包含虚假评分和评论以诱导用户关闭安全警告并侧载应用。
  • 权限获取策略:采用分步式权限请求,背景显示无害网页,前台以弹窗形式请求关闭电池优化、设置为默认短信处理器及开启无障碍服务,后者被用于屏幕读取和控制。
  • 核心欺诈功能:包括针对特定金融App的动态覆盖层(Overlay)、通过无障碍服务提取屏幕上的PIN码和卡号、利用21代码静默启用呼叫转移以拦截验证电话,以及实时屏幕流控和键盘记录。
  • 规避与定制化:生成的Dropper和Payload能逃避常规安全工具检测;支持按需定制应用,目标应用列表可硬编码在构建时,而覆盖层目标可通过控制面板动态更改,无需重新分发应用。

行业启示

  • 防御重心转移:由于RedWing不依赖零日漏洞而是依赖用户交互和社会工程学,防御重点应从单纯的恶意代码检测转向加强应用安装时的权限审查和用户安全意识教育。
  • 行为检测必要性:鉴于恶意软件可通过重打包和动态配置不断变换名称和表面特征,传统的基于文件名或哈希值的检测失效,必须建立基于异常行为(如无障碍服务滥用、呼叫转移异常)的检测机制。
  • MaaS威胁常态化:随着欺诈工具的低门槛化和模块化,针对移动金融服务的自动化、规模化攻击将成为常态,企业和监管机构需加强对移动端金融交易环境的实时监控和多方验证机制。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全