A new Android malware operation called red feather It is being rented out as a ready-made bank-fraud service on Telegram. It also allows less-skilled criminals to take over a victim’s phone, steal their banking logins, and capture the one-time codes that protect their accounts.
Zimperium’s ZLabs, which found the operation, says it looks like a new version of Oblivion, the $300-a-month malware rent-a-malware tool launched earlier this year.
Redwing is sold as a complete product in subscription tiers with referral discounts, guides, and how-to videos, so the buyer doesn’t need malware-writing skills. Telegram bot creates a custom app on demand for each buyer.
Researchers say a large number of the resulting droppers and payloads currently evade traditional security tools.
The infection starts with a phishing link that opens a fake app-store page. The kit’s dropper builder can mimic Google Play, the Galaxy Store, and AppGallery, or create completely custom pages with fake ratings, reviews, and download numbers. The page then prompts the user to install the app from outside the official store and approve its permissions.
The app stages its permission requests one screen at a time. A harmless-looking web page sits in the background while pop-up cards routinely request tailored permissions: turn off battery limits, set the app as the default text-message handler, and switch on notifications.
It also asks to turn on Android’s Accessibility service, which the malware misuses to read the screen and control the phone.
With those permissions, RedWing has comprehensive control of the phone. Its capabilities include:
- Fake login screens, called overlays, appear on genuine banking and cryptocurrency apps to steal passwords.
- Reading incoming text for a one-time passcode, and using Accessibility to remove the code, card number, and PIN from the screen when they appear.
- By using a hidden carrier code (*21*) to turn on call forwarding, the victim’s incoming calls are silently handed over to the attacker, eliminating phone-based verification and bank fraud-checking calls.
- Live screen streaming and a keylogger, allowing operators to view and control the phone in real time.
- Turn on camera and microphone, read files, steal contacts and call logs and track location.
- Harvesting infected phones to flood a targeted website with traffic is a denial-of-service attack.
Buyers choose their targets, and the malware splits its targets into two. The apps it looks for through accessibility are baked into each copy, leading to the creation of a new app to order once the buyer selects a target. In contrast, overlay targets can be changed later from the Control Panel without ejecting a new app.
Zimperium counted 82 targeted institutions across multiple sectors, with a particular focus on Russian financial firms, although this list could change at any time. Evidence points to the Russian market: one sample used a fake page for Russia’s RuStore. Experts say the operation appears to be linked to Russian threat actors, but this has not been confirmed.
Redwing marks a broader move toward on-device fraud in Android crime, where attackers operate inside a victim’s own banking session rather than stealing passwords to use elsewhere.
Researchers last year identified an almost identical Russian-market rental kit, Fantasy Hub. The same techniques appear in Albirex, which targeted more than 400 finance apps, and Kleopatra, which used hidden remote controls and fake overlays to drain accounts while victims slept.
RedWing does not require any Android exploit. This only works if a user installs the app from outside the official store and clears the prompts, so the first line of defense is what happens at the time of install. For individuals:
- Install apps only from official stores, and treat any “updates” that arrive via link or text message with suspicion.
- Don’t turn on “Install from unknown sources” and don’t give any app accessibility, default text-message handler, or battery-sapping access for no apparent reason.
- Keep an eye out for apps that hide their icon after installation, which is a common trick to stay out of sight.
On managed devices, similar options can be enforced centrally: block sideloading, and flag apps that request accessibility or the default-SMS role.
The researchers have also published indicators of agreement for teams who want to explore it. Because the kit can be reprogrammed and its overlay targets changed from a single panel, the same code can resurface under new names, so the app name is a poor way to track it. The behavior is the signal, not the name.