RedWing is a new Android spyware MaaS promoted through Telegram, with phishing-based distribution, customizable droppers, and strong links to Russian threat actors. It combines data theft, credential harvesting, remote control, call forwarding, and DDoS functions, while using overlays, Accessibility abuse, and obfuscation to evade detection and target financial institutions and their customers. #RedWing #Telegram #Russia
Keypoints
- RedWing is a newly uncovered Android spyware variant sold as Malware-as-a-Service through a Telegram channel.
- The malware is distributed through mobile-targeted phishing sites and uses customizable droppers that mimic Google Play, Galaxy Store, AppGallery, and RuStore.
- It can steal SMS, contacts, call logs, files, device metadata, and 2FA messages, creating major risk for banking users.
- RedWing supports remote screen streaming, screen locking, screenshot capture, camera and microphone activation, and VNC-style device control.
- The operators can deploy fake banking and crypto overlays, harvest credentials, and modify targeted apps from the admin panel without redeploying new malware versions.
- It can silently enable call forwarding with USSD commands to bypass voice-based two-factor authentication and intercept calls.
- The infrastructure includes subscription tiers, referral incentives, and a centralized panel for managing phishing campaigns and compromised devices.
MITRE Techniques
- [T1660 ] Phishing â Malicious APKs are delivered via fake mobile-targeted sites and app-store lookalikes (âhost external phishing sites to download malicious APKsâ).
- [T1624.001 ] Event Triggered Execution: Broadcast Receivers â The malware creates receivers to handle SMS and outgoing call events (âcreates a broadcast receiver to receive SMS events and outgoing callsâ).
- [T1655.001 ] Masquerading: Match Legitimate Name or Location â It impersonates legitimate app stores such as Google Play to appear trusted (âimpersonating Google Play icon as an extensionâ).
- [T1516 ] Input Injection â RedWing simulates taps, swipes, clicks, and text entry to control the device (âmimic user interaction, perform clicks and various gestures, and input dataâ).
- [T1406.002 ] Obfuscated Files or Information: Software Packing â It dynamically loads encrypted payload components from assets (âLoads the encrypted dex dynamically from its assetsâ).
- [T1417.001 ] Input Capture: Keylogging â The malware captures typed input and keystrokes (âIt has a keylogger featureâ).
- [T1417.002 ] Input Capture: GUI Input Capture â It captures the displayed UI to observe sensitive on-screen information (âIt is able to get the shown UIâ).
- [T1517 ] Access Notifications â It monitors notifications and SMS-related content (âCan listen to the notificationsâ).
- [T1426 ] System Information Discovery â The malware collects device information such as model and Android version (âIt gets device info such as device name, Android version etcâ).
- [T1418 ] Software Discovery â It enumerates installed applications on the device (âMalware collects installed application package listâ).
- [T1513 ] Screen Capture â It records the screen and sends visual data to the C2 (âMalware can record screen contentâ).
- [T1512 ] Capture Camera â It activates the camera to take photos (âMalware opens camera and takes picturesâ).
- [T1429 ] Audio Capture â It records ambient audio through the microphone (âMalware captures Audio recordingsâ).
- [T1616 ] Call Control â It can initiate or forward calls from the victim device (âMalware can make callsâ).
- [T1636.002 ] Protected User Data: Call Log â It steals call logs from the device (âMalware steals call logsâ).
- [T1636.003 ] Protected User Data: Contact List â It exports the victimâs contacts (âIt exports the deviceâs contactsâ).
- [T1636.004 ] Protected User Data: SMS Messages â It steals SMS messages from the infected device (âSteals SMSs from the infected deviceâ).
- [T1437.001 ] Application Layer Protocol: Web Protocols â The malware communicates with its servers over HTTP (âUses HTTP protocol to communicate with C&C serversâ).
- [T1481.002 ] Web Service: Bidirectional Communication â It uses WebSocket for command polling and session control (âIt uses websocket communication to poll the TAâs server and get the commands to executeâ).
- [T1646 ] Exfiltration Over C2 Channel â Stolen data is sent back through the command-and-control channel (âSending exfiltrated data over C&C serverâ).
- [T1582 ] SMS Control â The malware reads and manipulates SMS to intercept verification messages (âIt can read SMS messagesâ).
Indicators of Compromise
- [Telegram channel] Malware distribution and operator infrastructure â Telegram bot/channel used to build and manage APKs, panels, and subscriptions.
- [JSON device telemetry] C2 status payload â device_id âc9439fa3f0318657â, team_id â700ad4b2â, connected_via âXXX.XXX.XXX.XXXâ.
- [App/package names] Fake marketplace and target impersonation â Google Play, Galaxy Store, AppGallery, RuStore.
- [USSD code] Call forwarding abuse and balance checks â *21*# and *111#.
- [Regex patterns] Credential harvesting filters â ^d{4,8}$, ^d{13,19}$, ^d{3,4}$, ^+?d{10,15}$.
- [Command names] C2 tasking and device control â show_overlay, get_files, vnc_start, take_photo, start_recording, ddos_start, and other commands.
Read more: https://zimperium.com/blog/redwing-a-mobile-malware-as-a-service-operation