Commercialized mobile fraud exposed. The RedWing Android trojan uses fake app stores and accessibility exploits to drain bank accounts via Telegram control.

Beyond The Password Theft: New RedWing Android Variant Deploys Hidden Call Forwarding To Intercept 2FA Banks

The420.in Staff
5 Min Read

The mobile threat landscape has undergone a major tactical shift with the discovery of RedWing, an aggressive Android banking trojan operating under a commercialized Malware-as-a-Service (MaaS) subscription model on Telegram. According to an extensive technical analysis unsealed by Zimperium’s zLabs, the malicious infrastructure functions as a highly accessible rental platform, enabling low-skilled threat actors to deploy tailored information stealers without writing code. The automated framework, which researchers identify as an advanced variant of the notorious Oblivion remote access trojan, integrates custom payload builders, step-by-step user tutorials, and dynamic command-and-control panels to orchestrate real-time device compromises and execute on-device financial extraction.

Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference

The App-Store Mimicry and Graded Permission Harvesting

The operational deployment of the RedWing platform relies on a sophisticated mobile phishing infrastructure engineered to bypass traditional security filters. Threat actors initiate campaigns by distributing malicious links that redirect targets to high-fidelity, counterfeit download portals meticulously styled to resemble official platforms like Google Play, Samsung Galaxy Store, or Huawei AppGallery. To maximize onboarding conversion rates and exploit consumer trust, the kit’s automated dropper builder injects fabricated application metrics into the interface, displaying cloned developer badges, fake multi-star ratings, synthetic review feeds, and exaggerated download counts.

Once an unsuspecting user is enticed into sideloading the application package, the malware initiates a highly calculated, screen-by-screen permission harvesting sequence. While maintaining a benign interface in the foreground to mask its true background processes, the application forces a series of system prompts requiring the user to disable device battery optimization limits, set the software as the default SMS handler, and activate Android’s Accessibility Services. The acquisition of these critical configuration overrides effectively hands over administrative mastery of the operating system to the background payload, laying the technical foundation for full device takeover and the silent bypass of platform security boundaries.

Session Hijacking Matrices and Automated Fraud Vectors

With the Accessibility Service actively compromised, the RedWing payload shifts into a real-time surveillance and transaction injection engine. Instead of merely harvesting static database credentials to exploit from external locations—which frequently triggers automated banking fraud blocks—the malware excels at on-device fraud, manipulating transactions directly within the user’s active mobile banking session. The software continuously monitors the device’s foreground application logs, launching high-fidelity phishing overlays over 82 targeted financial and cryptocurrency platforms to capture usernames, credit card numbers, and security PINs the exact moment a user attempts to log into their genuine accounts.

Simultaneously, the malware deploys specialized communication interception tools to isolate and neutralize two-factor authentication (2FA) mechanisms. By abusing its default SMS handler privileges, the trojan reads, records, and silently deletes incoming one-time passwords (OTPs) before the device owner can notice the activity. Furthermore, upon receiving an automated command from its central dashboard, the application executes hidden carrier-level Unstructured Supplementary Service Data (USSD) requests—specifically deploying the *21* code framework—to establish unconditional call forwarding. This hidden step redirects all incoming voice verifications and bank confirmation calls straight to attacker-controlled terminals, while its integrated remote access suite supports live MediaProjection screen streaming, keystroke logging, and botnet coordination to launch localized denial-of-service strikes.

Behavioral Machine Learning and Endpoint Defense Standards

While current forensic telemetry indicates a heavy targeting focus on Russian financial institutions and localized digital asset repositories, security researchers emphasize that the underlying command console allows operators to dynamically update target app configurations without pushing out a new malware build. The commercialization of such sophisticated endpoint manipulation suites on underground channels highlights the severe limitations of traditional signature-based antivirus tools. Mobile defense architects state that modern threat actors are systematically weaponizing legitimate Android accessibility frameworks, creating an environment where proactive, on-device behavioral analytics represent the only dependable line of defense.

To permanently protect enterprise mobile grids and personal consumer devices from advanced on-device fraud, cybersecurity compliance boards are demanding a rigid approach to application lifecycle management. Security engineers advise users to completely block software installations originating from unknown third-party links, reminding populations that official system updates are never delivered via unsolicited text messages or independent chat threads. Additionally, corporate IT cells are urged to deploy real-time behavioral monitoring systems capable of identifying anomalous accessibility activations and immediate SMS role changes, effectively neutralizing automated credential extraction loops before they can compromise sensitive financial sessions.

Stay Connected