Zimperium's zLabs has uncovered a significant evolution in mobile threat landscape: RedWing. This is a new Android banking trojan distributed strictly as Malware-as-a-Service (MaaS) via Telegram. Modeled after the infrastructure of the notorious Oblivion trojan, RedWing effectively commoditizes mobile bank fraud. For a subscription fee, low-skilled actors can rent this ready-made capability to hijack devices, harvest banking credentials, and intercept SMS one-time passwords (OTPs).
For defenders, this represents a dangerous lowering of the barrier to entry. We are no longer dealing exclusively with sophisticated nation-state actors or highly skilled cybercriminals; we are facing "crime-as-a-service" operators democratizing account takeover (ATO) capabilities. The urgency here is high: if your organization allows BYOD or manages corporate Android devices with access to financial applications, RedWing poses a direct and immediate threat to the integrity of your corporate banking and authentication mechanisms.
Technical Analysis
Affected Platform: Android (Multiple versions; banking trojans typically target Android 7.0 and up, though specific RedWing version dependencies are still being analyzed by Zimperium).
Threat Vector: Social Engineering / Phishing / Smishing. RedWing is distributed via trojanized applications, often masquerading as legitimate utility or banking apps.
Attack Chain & Functionality:
- Infection: The user is tricked into downloading and installing a malicious APK (often outside the Google Play Store).
- Permission Abuse: Upon execution, RedWing requests critical permissions, specifically Accessibility Services and SMS Reading/Receiving.
- Overlay Attacks & Keylogging: By abusing Accessibility Services, the malware can read screen content, intercept inputs, and draw overlays (fake login screens) on top of legitimate banking apps to capture credentials.
- 2FA Bypass: Using SMS permissions, RedWing captures incoming OTP codes, relaying them to the attacker's C2 server, effectively neutralizing SMS-based 2FA.
- Remote Control: The MaaS backend provides the "renter" with a web panel to control infected devices, view logs, and manage stolen sessions.
Exploitation Status: Confirmed Active. RedWing is currently being advertised and rented on Telegram channels. It is not theoretical; it is an active campaign generating revenue for its developers and losses for victims.
Detection & Response
Detecting Android banking trojans requires a shift from traditional file-hash-based detection to behavioral monitoring. RedWing's behaviors (Overlay, Accessibility abuse, SMS theft) are consistent with the MITRE ATT&CK Mobile matrix.
SIGMA Rules
The following Sigma rules target the core behaviors of the RedWing/Oblivion family: the abuse of Accessibility Services and SMS interception.
---
title: Potential Android Banking Trojan - Accessibility Service Abuse
id: a8b9c0d1-e2f3-4a5b-8c7d-9e0f1a2b3c4d
status: experimental
description: Detects non-system applications requesting or binding to Accessibility Services, a common tactic for Android banking trojans like RedWing to perform overlays and keylogging.
references:
- https://attack.mitre.org/techniques/T1431/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.t1431
- attack.credential_access
logsource:
product: android
category: application_activity
detection:
selection:
EventID: 1 # Placeholder for generic app permission event in MTD solutions
PermissionRequested|contains: 'android.permission.BIND_ACCESSIBILITY_SERVICE'
filter:
PackageName|startswith:
- 'com.android'
- 'com.google'
- 'com Samsung'
condition: selection and not filter
falsepositives:
- Legitimate accessibility apps (e.g., screen readers)
level: high
---
title: Potential Android Banking Trojan - SMS Interception
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects applications requesting SMS read permissions typically used to hijack 2FA tokens, consistent with RedWing functionality.
references:
- https://attack.mitre.org/techniques/T1416/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.t1416
- attack.collection
logsource:
product: android
category: application_activity
detection:
selection:
PermissionRequested|contains:
- 'android.permission.READ_SMS'
- 'android.permission.RECEIVE_SMS'
filter_legit_sms:
PackageName|contains:
- 'com.android.messaging'
- 'com.google.android.apps.messaging'
- 'com.samsung.android.messaging'
condition: selection and not filter_legit_sms
falsepositives:
- Legitimate backup or messaging apps
level: medium
KQL (Microsoft Sentinel / Defender for Endpoint)
Hunt for Android devices exhibiting high-risk permission grants or installation of packages from unknown sources.
// Hunt for Android apps requesting SMS or Accessibility permissions
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("ApplicationInstallation", "PermissionChange")
| where AdditionalFields contains "android.permission.READ_SMS"
or AdditionalFields contains "android.permission.RECEIVE_SMS"
or AdditionalFields contains "android.permission.BIND_ACCESSIBILITY_SERVICE"
| project Timestamp, DeviceName, ActionType, FileName,
AdditionalFields, InitiatingProcessAccountName
| where not(FileName has "com.google" or FileName has "com.android" or FileName has "com.samsung")
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for installed Android packages that hold the dangerous permissions associated with RedWing.
-- Hunt for Android apps with high-risk permissions (Accessibility/SMS)
SELECT PackageName, VersionName, RequestedPermissions, LastUpdateTime
FROM android_packages()
WHERE RequestedPermissions =~ 'BIND_ACCESSIBILITY_SERVICE'
OR RequestedPermissions =~ 'READ_SMS'
OR RequestedPermissions =~ 'RECEIVE_SMS'
-- Filter out common system packages to reduce noise
AND NOT PackageName =~ 'com.google'
AND NOT PackageName =~ 'com.android'
AND NOT PackageName =~ 'com.samsung'
Remediation Script (Bash/ADB)
This administrative script is intended for use with Android Debug Bridge (ADB) or an equivalent MDM shell to audit devices for the presence of apps holding these high-risk permissions.
#!/bin/bash
# Audit Android device for apps with dangerous permissions (RedWing indicators)
# Requires root or ADB shell access
echo "Auditing for Accessibility Services abuse..."
# List packages with BIND_ACCESSIBILITY_SERVICE
pm list packages -f | while read -r line; do
pkg=$(echo "$line" | sed 's/package://')
# Dump permissions and check for accessibility binding
if dumpsys package "$pkg" | grep -q 'android.permission.BIND_ACCESSIBILITY_SERVICE'; then
# Check if it's not a system app
if ! dumpsys package "$pkg" | grep -q 'flags=[.* SYSTEM'; then
echo "[ALERT] Non-system app with Accessibility Service: $pkg"
fi
fi
done
echo "Auditing for SMS Interception capabilities..."
# List packages with READ_SMS or RECEIVE_SMS
pm list packages -f | while read -r line; do
pkg=$(echo "$line" | sed 's/package://')
if dumpsys package "$pkg" | grep -qE 'android.permission.(READ_SMS|RECEIVE_SMS)'; then
if ! dumpsys package "$pkg" | grep -q 'flags=[.* SYSTEM'; then
echo "[WARN] Non-system app with SMS permissions: $pkg"
fi
fi
done
echo "Audit complete."
Remediation
As RedWing is a trojanized application rather than an OS vulnerability, there is no "patch" in the traditional sense. Remediation relies on policy, hygiene, and endpoint detection.
-
Mobile Threat Defense (MTD) Deployment: Ensure a robust MTD solution (e.g., Zimperium, Microsoft Defender for Endpoint) is deployed on all corporate-enrolled Android devices. Configure policies to automatically quarantine or warn when Accessibility Services are requested by non-whitelisted apps.
-
Application Vetting & Allowlisting:
- Strictly enforce Google Play Store only installations.
- Disable "Install Unknown Apps" (sideloading) permissions for all users via MDM.
- Allowlist only necessary banking and utility apps.
-
User Awareness Training:
- Educate users on the risks of downloading cracked apps or "updates" from Telegram, forums, or SMS links.
- Instruct users to be suspicious of apps requesting SMS or Accessibility permissions that are not screen readers or accessibility aids.
-
Network Segmentation (C2 Blocking): While RedWing uses specific infrastructure, MaaS operations often rotate domains. Focus on blocking known malicious categories and enforcing DNS filtering.
-
Incident Response: If RedWing is detected:
- Immediately isolate the device from the network (Wi-Fi and Cellular data).
- Revoke device access to corporate banking portals via IAM.
- Wipe the device (Factory Reset) as complete manual removal of persistence mechanisms in Android trojans is difficult to guarantee.
- Rotate credentials for any banking or authentication services accessed from the device.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.