Suzanne Kantra/Techlicious generated by ChatGPT
Bank-fraud malware attacks are about to get a lot more common because anyone can now rent a ready-made Android banking trojan kit off Telegram. A banking trojan is malicious software disguised as a legitimate app that, once installed, is built specifically to steal money from your bank or payment accounts. The kit making the rounds now is called RedWing, and security researchers at Zimperium zLabs have been tracking it as it spreads through criminal channels this month.
RedWing is what's known as malware-as-a-service. It works a lot like Microsoft 365 or any other subscription service you already pay for: someone builds the product once, maintains it, pushes updates, and sells access to anyone willing to pay. According to Zimperium's research, RedWing's subscribers get a working toolkit for hijacking Android banking apps: fake login screens that sit on top of your real bank's app and capture your credentials without your noticing, plus the ability to intercept the one-time codes your bank texts you and take remote control of the phone once it's infected.
Building something like that from scratch used to require serious malware-development expertise, the kind that takes years to acquire and constant updating to keep ahead of Android's defenses. Renting it through Telegram, where it's being marketed and sold, makes assembling working bank-fraud malware about as easy as putting together a PowerPoint presentation.
RedWing can't do the hard work of getting itself onto your phone, so it needs you to do that part yourself, which means the entire operation still comes down to social engineering. A criminal renting this kit is counting on convincing you that a fake banking app is real: a text with a link to "update your banking app," a search result for your bank that leads somewhere it shouldn't, a prompt during a phone call from someone pretending to be your bank's fraud department. Once you install what you think is a legitimate app, RedWing does the rest.
Everything in this story comes down to one moment: whether you install something you shouldn't. Only download banking apps through the Google Play Store, never from a link in a text or email, even one that looks like it came from your bank. Google has started fighting this exact tactic directly: a new mandatory 24-hour wait for sideloading apps from unverified developers is designed to break the live-call pressure scammers rely on. Be skeptical of any app requesting permission to read your SMS messages or access to Android's accessibility services, since those are the permissions banking trojans need to function, and no legitimate banking app has a good reason to ask for them.
If your bank offers app-based login alerts or transaction notifications, turn them on, since catching fraudulent activity within minutes rather than days is often what determines whether you get your money back. A good antivirus app is one of the few defenses that can catch this kind of malware before it does damage, in case something slips past your other precautions.
If you've already installed a banking app from anywhere other than the Play Store, don't wait to find out whether it was real. Uninstall it, run a scan with a mobile security app, and call your bank's fraud line directly using the number on the back of your card, not any number the app or a text gave you. Watch your account for a few weeks afterward, since stolen credentials don't always get used immediately.
This rental-kit model already reshaped ransomware, turning it from a niche threat into an everyday one over the past several years. Expect the same trajectory here: once one banking trojan proves profitable as a rental, competitors typically follow with their own kits, often targeting other platforms or other categories of fraud. For us, that means remaining increasingly vigilant for these risks across all of our online activities.
Read next: The best antivirus apps for Android in 2026