A new Android malware operation dubbed RedWing is being marketed on Telegram as a ready-made bank-fraud service, according to researchers at Zimperium's zLabs. The malware allows even low-skill criminals to remotely take over a victim's phone, steal banking login credentials, and intercept one-time codes used to protect accounts.

The service appears to be a variant of an existing rent-a-malware tool called Oblivion, which was previously sold for $300 per month. RedWing packages that capability into a Malware-as-a-Service (MaaS) model, lowering the barrier to entry for cybercriminals seeking to conduct mobile financial fraud.

RedWing targets Android devices, exploiting permissions and accessibility features to gain full remote control over the victim's handset. Once installed—likely through social engineering or malicious apps—the malware can read SMS messages, capture two-factor authentication codes, and exfiltrate banking app credentials.

Indicators of compromise include unexpected requests for accessibility service permissions and unusual network traffic to command-and-control servers. Zimperium has not yet released specific technical indicators or patch details, but users are advised to avoid sideloading apps and to verify app permissions rigorously.

The emergence of RedWing underscores a broader trend: the commoditization of mobile banking malware via Telegram-based rental services. This model enables attackers with minimal technical skill to launch sophisticated credential theft campaigns, raising the threat level for Android users globally.