Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools

Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools

Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools

https://securityaffairs.com/194942/malware/telegram-hosted-redwing-malware-lets-anyone-rent-android-spyware-tools.html

Publish Date: 2026-07-08 07:17:00

Source Domain: securityaffairs.com

Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools

Pierluigi Paganini
July 08, 2026

RedWing: The Android Banking Trojan You Can Rent on Telegram for Less Than a Coffee Subscription

Zimperium’s zLabs team has uncovered RedWing, an Android spyware operation sold as a subscription service through Telegram, with links to Russian threat actors and apparent roots in the Oblivion malware family.

It comes with documentation, tutorial videos, a referral discount program, and a bot that builds custom malicious apps on demand. No malware-writing skill required.

“Far from being just another basic piece of malware sold online, RedWing is a fully developed, commercial-grade MaaS product with seller documentation, videos, and a bot-driven subscription model that provides a low entry barrier for novice attackers.” reads the report published by Zimperium. “As a proof of this, the APK customization/obfuscation/creation can be fully implemented through telegram.”

Infection starts with a phishing link that opens a fake app store page. The dropper builder can mimic Google Play, the Samsung Galaxy Store, or Huawei’s AppGallery with fake ratings, reviews, and download counts.

“the C2 panel features a sophisticated ‘Onboarding Constructor‘. Within the ‘Stealer’ configuration module, operators can deploy a deceptive ‘WebView + Cards’ interface. This mechanism loads a benign-looking webpage in the background to establish legitimacy, while sequentially overlaying customized permission prompts (cards) from the bottom of the screen.” continues the report. “Through tailored social engineering lures, the malware coerces the user into granting critical system access, specifically targeting three core permissions: disabling Battery Optimization (to ensure uninterrupted background execution), setting the application as the Default SMS…

Source