In short: On 7 July 2026 Zimperium zLabs disclosed RedWing — a ready-made Android "malware-as-a-service" platform that anyone can rent through a Telegram bot, complete with subscription tiers, referral discounts and training videos. A buyer generates a custom malicious app that steals banking and crypto logins, intercepts SMS one-time codes and even reroutes bank fraud-check calls. Researchers counted 82 targeted organisations, with a strong focus on Russian financial institutions. The core defence: install apps only from official stores, never grant Accessibility to apps that do not need it, and turn on transaction alerts.
What happened
Analysts at Zimperium zLabs published a breakdown of RedWing, a commercial-grade Android banking trojan sold not as a one-off tool but as a subscription service. Through a Telegram channel the operators offer tiered pricing, referral discounts that reward buyers for spreading the malware further, seller documentation and how-to videos — a low barrier that lets even inexperienced criminals launch bank-fraud campaigns. A Telegram bot builds and obfuscates a fresh malicious APK on demand. Because these campaigns almost always start with a booby-trapped download, it is worth reviewing the basics first in our guide on how to download apps and a VPN safely.
RedWing spreads through phishing links that lead to fake app-store pages imitating Google Play, Samsung Galaxy Store and Huawei AppGallery; one sample even mimicked a RuStore page. Zimperium identified 82 targeted organisations across several market verticals, with a pronounced focus on Russian banks and financial services — which puts Russian-speaking users squarely in the crosshairs.
What RedWing can do
Once installed and granted Accessibility, RedWing gives the operator near-total remote control of the phone through live screen streaming and virtual interaction with the device. It displays fake login overlays on top of banking and cryptocurrency apps, so credentials you type go straight to the attacker. It reads incoming SMS to grab one-time codes, extracts PINs and card numbers shown on screen, logs keystrokes, and steals contacts, messages, files, photos and device data. It can also reach the camera, microphone and geolocation, and even use the infected fleet for DDoS attacks.
Its standout trick targets phone-based verification. On command from its control server, RedWing quietly dials a hidden *21* request to switch on call forwarding, redirecting the victim's incoming calls to an attacker-controlled number. That neutralises voice two-factor authentication and lets criminals intercept the anti-fraud calls a bank makes to confirm a suspicious transfer. To get there, the app pushes the user to remove battery restrictions and grant SMS-handler, notification and Accessibility permissions.
What it means for your data and money
The prize is direct access to your accounts. With overlays, SMS interception and call forwarding working together, an attacker can log in as you, approve transfers and defeat the checks meant to stop them — while also harvesting your messages, contacts and files. Modern banking trojans do not break encryption; they trick the person and take over the screen. That is why protection starts with habits, not just tools. For safe day-to-day banking, see our piece on secure online banking, and if you fear your data has already leaked, check with how to detect a personal-data leak.
How can you protect yourself?
Install apps only from official stores. RedWing lives on fake store pages reached through phishing links. Never install an APK from a link in a message, SMS or ad, and disable installation from unknown sources.
Do not hand out Accessibility rights. That one permission is what lets RedWing drive your screen and input. A wallpaper app or a "delivery" tool has no reason to need it.
Watch for silent call forwarding. If your calls suddenly stop arriving, dial ##21# to check and cancel forwarding, and contact your carrier. Enable bank transaction alerts so theft shows up immediately.
Keep Android and Google Play Protect updated, and use two-factor methods that are not tied only to SMS. To understand where a VPN does and does not help, see our explainer on what a VPN protects you from — and what it does not.
Where does a VPN fit in?
Be honest about the limits: a VPN cannot remove a trojan that is already on your phone — that is the job of safe installs and mobile antivirus. What it does cover is the network layer where infection often begins: it encrypts your traffic on untrusted Wi-Fi so logins and codes cannot be intercepted in transit, and hides your real IP from the fake sites and trackers that lure victims in. See how LiMP VPN handles encryption and pick a plan on our pricing page. Treat it as one layer alongside careful installs and app hygiene.
Sources
This report is based on the RedWing research published on 7 July 2026 by Zimperium zLabs, covered by The Hacker News and the Russian-language Anti-Malware.ru.
