Back to Intelligence

RedWing Android Banking Trojan: MaaS Detection and Defense Strategies

SA
Security Arsenal Team
July 7, 2026
6 min read

Zimperium's zLabs has uncovered a significant evolution in mobile threat landscape: RedWing. This is a new Android banking trojan distributed strictly as Malware-as-a-Service (MaaS) via Telegram. Modeled after the infrastructure of the notorious Oblivion trojan, RedWing effectively commoditizes mobile bank fraud. For a subscription fee, low-skilled actors can rent this ready-made capability to hijack devices, harvest banking credentials, and intercept SMS one-time passwords (OTPs).

For defenders, this represents a dangerous lowering of the barrier to entry. We are no longer dealing exclusively with sophisticated nation-state actors or highly skilled cybercriminals; we are facing "crime-as-a-service" operators democratizing account takeover (ATO) capabilities. The urgency here is high: if your organization allows BYOD or manages corporate Android devices with access to financial applications, RedWing poses a direct and immediate threat to the integrity of your corporate banking and authentication mechanisms.

Technical Analysis

Affected Platform: Android (Multiple versions; banking trojans typically target Android 7.0 and up, though specific RedWing version dependencies are still being analyzed by Zimperium).

Threat Vector: Social Engineering / Phishing / Smishing. RedWing is distributed via trojanized applications, often masquerading as legitimate utility or banking apps.

Attack Chain & Functionality:

  1. Infection: The user is tricked into downloading and installing a malicious APK (often outside the Google Play Store).
  2. Permission Abuse: Upon execution, RedWing requests critical permissions, specifically Accessibility Services and SMS Reading/Receiving.
  3. Overlay Attacks & Keylogging: By abusing Accessibility Services, the malware can read screen content, intercept inputs, and draw overlays (fake login screens) on top of legitimate banking apps to capture credentials.
  4. 2FA Bypass: Using SMS permissions, RedWing captures incoming OTP codes, relaying them to the attacker's C2 server, effectively neutralizing SMS-based 2FA.
  5. Remote Control: The MaaS backend provides the "renter" with a web panel to control infected devices, view logs, and manage stolen sessions.

Exploitation Status: Confirmed Active. RedWing is currently being advertised and rented on Telegram channels. It is not theoretical; it is an active campaign generating revenue for its developers and losses for victims.

Detection & Response

Detecting Android banking trojans requires a shift from traditional file-hash-based detection to behavioral monitoring. RedWing's behaviors (Overlay, Accessibility abuse, SMS theft) are consistent with the MITRE ATT&CK Mobile matrix.

SIGMA Rules

The following Sigma rules target the core behaviors of the RedWing/Oblivion family: the abuse of Accessibility Services and SMS interception.

YAML
---
title: Potential Android Banking Trojan - Accessibility Service Abuse
id: a8b9c0d1-e2f3-4a5b-8c7d-9e0f1a2b3c4d
status: experimental
description: Detects non-system applications requesting or binding to Accessibility Services, a common tactic for Android banking trojans like RedWing to perform overlays and keylogging.
references:
  - https://attack.mitre.org/techniques/T1431/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.t1431
  - attack.credential_access
logsource:
  product: android
  category: application_activity
detection:
  selection:
    EventID: 1 # Placeholder for generic app permission event in MTD solutions
    PermissionRequested|contains: 'android.permission.BIND_ACCESSIBILITY_SERVICE'
  filter:
    PackageName|startswith:
      - 'com.android'
      - 'com.google'
      - 'com Samsung'
  condition: selection and not filter
falsepositives:
  - Legitimate accessibility apps (e.g., screen readers)
level: high
---
title: Potential Android Banking Trojan - SMS Interception
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects applications requesting SMS read permissions typically used to hijack 2FA tokens, consistent with RedWing functionality.
references:
  - https://attack.mitre.org/techniques/T1416/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.t1416
  - attack.collection
logsource:
  product: android
  category: application_activity
detection:
  selection:
    PermissionRequested|contains:
      - 'android.permission.READ_SMS'
      - 'android.permission.RECEIVE_SMS'
  filter_legit_sms:
    PackageName|contains:
      - 'com.android.messaging'
      - 'com.google.android.apps.messaging'
      - 'com.samsung.android.messaging'
  condition: selection and not filter_legit_sms
falsepositives:
  - Legitimate backup or messaging apps
level: medium

KQL (Microsoft Sentinel / Defender for Endpoint)

Hunt for Android devices exhibiting high-risk permission grants or installation of packages from unknown sources.

KQL — Microsoft Sentinel / Defender
// Hunt for Android apps requesting SMS or Accessibility permissions
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("ApplicationInstallation", "PermissionChange")
| where AdditionalFields contains "android.permission.READ_SMS" 
   or AdditionalFields contains "android.permission.RECEIVE_SMS"
   or AdditionalFields contains "android.permission.BIND_ACCESSIBILITY_SERVICE"
| project Timestamp, DeviceName, ActionType, FileName, 
  AdditionalFields, InitiatingProcessAccountName
| where not(FileName has "com.google" or FileName has "com.android" or FileName has "com.samsung")
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for installed Android packages that hold the dangerous permissions associated with RedWing.

VQL — Velociraptor
-- Hunt for Android apps with high-risk permissions (Accessibility/SMS)
SELECT PackageName, VersionName, RequestedPermissions, LastUpdateTime
FROM android_packages()
WHERE RequestedPermissions =~ 'BIND_ACCESSIBILITY_SERVICE'
   OR RequestedPermissions =~ 'READ_SMS'
   OR RequestedPermissions =~ 'RECEIVE_SMS'
-- Filter out common system packages to reduce noise
AND NOT PackageName =~ 'com.google'
AND NOT PackageName =~ 'com.android'
AND NOT PackageName =~ 'com.samsung'

Remediation Script (Bash/ADB)

This administrative script is intended for use with Android Debug Bridge (ADB) or an equivalent MDM shell to audit devices for the presence of apps holding these high-risk permissions.

Bash / Shell
#!/bin/bash
# Audit Android device for apps with dangerous permissions (RedWing indicators)
# Requires root or ADB shell access

echo "Auditing for Accessibility Services abuse..."
# List packages with BIND_ACCESSIBILITY_SERVICE
pm list packages -f | while read -r line; do
  pkg=$(echo "$line" | sed 's/package://')
  # Dump permissions and check for accessibility binding
  if dumpsys package "$pkg" | grep -q 'android.permission.BIND_ACCESSIBILITY_SERVICE'; then
    # Check if it's not a system app
    if ! dumpsys package "$pkg" | grep -q 'flags=[.* SYSTEM'; then
      echo "[ALERT] Non-system app with Accessibility Service: $pkg"
    fi
  fi
done

echo "Auditing for SMS Interception capabilities..."
# List packages with READ_SMS or RECEIVE_SMS
pm list packages -f | while read -r line; do
  pkg=$(echo "$line" | sed 's/package://')
  if dumpsys package "$pkg" | grep -qE 'android.permission.(READ_SMS|RECEIVE_SMS)'; then
     if ! dumpsys package "$pkg" | grep -q 'flags=[.* SYSTEM'; then
      echo "[WARN] Non-system app with SMS permissions: $pkg"
    fi
  fi
done

echo "Audit complete."

Remediation

As RedWing is a trojanized application rather than an OS vulnerability, there is no "patch" in the traditional sense. Remediation relies on policy, hygiene, and endpoint detection.

  1. Mobile Threat Defense (MTD) Deployment: Ensure a robust MTD solution (e.g., Zimperium, Microsoft Defender for Endpoint) is deployed on all corporate-enrolled Android devices. Configure policies to automatically quarantine or warn when Accessibility Services are requested by non-whitelisted apps.

  2. Application Vetting & Allowlisting:

    • Strictly enforce Google Play Store only installations.
    • Disable "Install Unknown Apps" (sideloading) permissions for all users via MDM.
    • Allowlist only necessary banking and utility apps.
  3. User Awareness Training:

    • Educate users on the risks of downloading cracked apps or "updates" from Telegram, forums, or SMS links.
    • Instruct users to be suspicious of apps requesting SMS or Accessibility permissions that are not screen readers or accessibility aids.
  4. Network Segmentation (C2 Blocking): While RedWing uses specific infrastructure, MaaS operations often rotate domains. Focus on blocking known malicious categories and enforcing DNS filtering.

  5. Incident Response: If RedWing is detected:

    • Immediately isolate the device from the network (Wi-Fi and Cellular data).
    • Revoke device access to corporate banking portals via IAM.
    • Wipe the device (Factory Reset) as complete manual removal of persistence mechanisms in Android trojans is difficult to guarantee.
    • Rotate credentials for any banking or authentication services accessed from the device.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionandroid-malwarebanking-trojanredwingmaasmobile-threat-defense

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.