RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service
RedWing is a sophisticated Android banking malware-as-a-service (MaaS) operation rented via Telegram, enabling low-skill criminals to conduct full account takeovers. The malware utilizes social engineering to mimic official app stores and tricks users into granting high-privilege permissions, particularly Android's Accessibility service. Capabilities include live screen streaming, keylogging, SMS interception for OTPs, call forwarding to bypass verification, and overlay attacks against banking a
Analysis
TL;DR
- RedWing is a sophisticated Android banking malware-as-a-service (MaaS) operation rented via Telegram, enabling low-skill criminals to conduct full account takeovers.
- The malware utilizes social engineering to mimic official app stores and tricks users into granting high-privilege permissions, particularly Android's Accessibility service.
- Capabilities include live screen streaming, keylogging, SMS interception for OTPs, call forwarding to bypass verification, and overlay attacks against banking apps.
- The operation represents a shift toward on-device fraud, allowing attackers to operate within active banking sessions rather than just stealing credentials.
- Defense relies heavily on preventing sideloading, restricting Accessibility permissions, and monitoring for behavioral anomalies rather than relying solely on app signatures.
Why It Matters
This incident highlights the dangerous trend of "democratizing" cybercrime through MaaS models, where complex malware is packaged as easy-to-use subscription services accessible to non-technical actors. For security practitioners, it underscores the critical risk posed by Android's Accessibility API when abused by malicious applications, necessitating stricter permission controls and behavioral detection strategies.
Technical Details
- Distribution and Installation: Infection begins with phishing links leading to fake app-store pages (mimicking Google Play, Galaxy Store, or RuStore) that coerce users into sideloading and approving permissions.
- Permission Abuse: The malware stages permission requests to appear routine, specifically targeting Android Accessibility services, default SMS handler status, and battery optimization exemptions to maintain persistence and control.
- Data Exfiltration and Control: Once installed, RedWing employs overlays to steal login credentials, reads incoming SMS for one-time passcodes, and uses Accessibility features to extract PINs and card numbers directly from the screen.
- Advanced Evasion: Features include silent call forwarding via carrier codes (21) to intercept verification calls, live screen streaming, keylogging, and the ability to dynamically update target applications via a remote control panel without requiring app updates.
- Targeting Scope: Researchers identified 82 targeted institutions, primarily in the Russian financial sector, though the toolkit allows buyers to customize targets easily.
Industry Insight
- Shift in Detection Paradigms: Traditional signature-based detection is insufficient for MaaS malware that can be reskinned and dynamically reconfigured. Security teams must prioritize behavioral analysis, particularly monitoring for unauthorized use of Accessibility services and unexpected call forwarding.
- User Education Criticality: Since RedWing requires user interaction (sideloading and permission approval), organizations must reinforce training on the dangers of installing apps from unofficial sources and the risks of granting excessive permissions to unknown applications.
- Regulatory and Platform Responsibility: App stores and device manufacturers need to enhance safeguards against fake storefronts and implement stricter default restrictions on Accessibility permissions for newly installed or unverified applications to mitigate on-device fraud risks.
Disclaimer: The above content is generated by AI and is for reference only.