Find notable cyber news and cases, enriched with sources, timelines, and signals.

RedWing Android bank-fraud malware rental service

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

The RedWing Android malware service is being rented on Telegram to steal banking logins, OTPs, and device control, raising fraud risk for banking and cryptocurrency apps. The kit reaches victims through phishing links that open fake app-store pages and coax them into sideloading a dropper. Once permissions are granted, it uses Accessibility abuse, fake login overlays, and call forwarding to capture credentials and verification codes. It also supports live screen streaming, a keylogger, and other on-device fraud functions that make account takeover harder to detect.

Related Happenings

RedWing Android spyware rented through Telegram

Malware Activity
H score21 First: 08.07.2026 18:30 Last: 08.07.2026 18:30 Sources 1

About this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...

Google Play Protect adds warnings and app disabling for compromised SDK abuse

Security Tool/Service
H score11 First: 03.07.2026 12:35 Last: 03.07.2026 12:35 Sources 1

About this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta
H score21 First: 29.05.2026 00:10 Last: 29.05.2026 00:10 Sources 1

About this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
H score25 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Timeline

  1. 07.07.2026 20:10 2 articles · 2d ago

    RedWing is rented on Telegram as an Android bank-fraud service

    Initial Disclosure

    RedWing is a Telegram-rented Android bank-fraud service that uses phishing links, fake app-store pages, staged permission prompts, Accessibility abuse, fake login overlays, and call forwarding to steal banking logins, one-time codes, and other device data from victims who sideload the app. The operation is sold in subscription tiers with referral discounts, guides, and how-to videos, can mimic Google Play, the Galaxy Store, AppGallery, or RuStore, and is described as targeting 82 institutions across several sectors with a strong focus on Russian financial firms.

    Show sources