Risk actors have been noticed leveraging malicious dropper apps masquerading as reputable functions to ship an Android SMS stealer dubbed Wonderland in cellular assaults focusing on customers in Uzbekistan.
“Beforehand, customers obtained ‘pure’ Trojan APKs that acted as malware instantly upon set up,” Group-IB stated in an evaluation revealed final week. “Now, adversaries more and more deploy droppers disguised as reputable functions. The dropper seems to be innocent on the floor however comprises a built-in malicious payload, which is deployed regionally after set up – even with out an energetic web connection.”
Wonderland (previously WretchedCat), in keeping with the Singapore-headquartered cybersecurity firm, facilitates bidirectional command-and-control (C2) communication to execute instructions in real-time, permitting for arbitrary USSD requests and SMS theft. It masquerades as Google Play, or recordsdata of different codecs, corresponding to movies, photographs, and wedding ceremony invites.
The financially motivated menace actor behind the malware, TrickyWonders, leverages Telegram as the first platform to coordinate numerous features of the operation. First found in November 2023, it is also attributed to 2 dropper malware households which are designed to hide the first encrypted payload –
MidnightDat (First seen on August 27, 2025)
RoundRift (First seen on October 15, 2025)
Wonderland is principally propagated utilizing faux Google Play Retailer net pages, advert campaigns on Fb, bogus accounts on courting apps, and messaging apps like Telegram, with the attackers abusing stolen Telegram periods of Uzbek customers bought on darkish net markets to distribute APK recordsdata to victims’ contacts and chats.
As soon as the malware is put in, it positive aspects entry to SMS messages and intercepts one-time passwords (OTPs), which the group makes use of to siphon funds from victims’ financial institution playing cards. Different capabilities embrace retrieving cellphone numbers, exfiltrating contact lists, hiding push notifications to suppress safety or one-time password (OTP) alerts, and even sending SMS messages from contaminated gadgets for lateral motion.
Nonetheless, it is value stating that sideloading the app first requires customers to allow a setting that enables set up from unknown sources. That is completed by displaying an replace display screen that instructs them to “set up the replace to make use of the app.”
“When a sufferer installs the APK and gives the permissions, the attackers hijack the cellphone quantity and try to log into the Telegram account registered with that cellphone quantity,” Group-IB stated. “If the login succeeds, the distribution course of is repeated, making a cyclical an infection chain.”
Wonderland represents the newest evolution of cellular malware in Uzbekistan, which has shifted from rudimentary malware corresponding to Ajina.Banker that relied on large-scale spam campaigns to extra obfuscated strains like Qwizzserial that had been discovered disguised as seemingly benign media recordsdata.
Using dropper functions is strategic because it causes them to look innocent and evade safety checks. As well as, each the dropper and SMS stealer parts are closely obfuscated and incorporate anti-analysis methods to make them much more difficult and time-consuming to reverse engineer.
What’s extra, using bidirectional C2 communication transforms the malware from a passive SMS stealer to an energetic remote-controlled agent that may execute arbitrary USSD requests issued by the server.
“The supporting infrastructure has additionally develop into extra dynamic and resilient,” the researchers stated. “Operators depend on quickly altering domains, every of which is used just for a restricted set of builds earlier than being changed. This method complicates monitoring, disrupts blacklist-based defenses, and will increase the longevity of command and management channels.”
The malicious APK builds are generated utilizing a devoted Telegram bot, which is then distributed by a class of menace actors known as staff in change for a share of the stolen funds. As a part of this effort, every construct is related to its personal C2 domains in order that any takedown try doesn’t deliver down the whole assault infrastructure.
The felony enterprise additionally contains group homeowners, builders, and vbivers, who validate stolen card data. This hierarchical construction displays a brand new maturation of the monetary fraud operation.
“The brand new wave of malware improvement within the area clearly demonstrates that strategies of compromising Android gadgets aren’t simply turning into extra refined – they’re evolving at a fast tempo,” Group-IB stated. Attackers are actively adapting their instruments, implementing new approaches to distribution, concealment of exercise, and sustaining management over contaminated gadgets.”
The disclosure coincides with the emergence of recent Android malware, corresponding to Cellik, Frogblight, and NexusRoute, which are able to harvesting delicate data from compromised gadgets.
Cellik, which is marketed on the darkish net for a beginning worth of $150 for one month or for $900 for a lifetime licence, is provided with real-time display screen streaming, keylogging, distant digicam/microphone entry, information wiping, hidden net looking, notification interception, and app overlays to steal credentials.
Maybe the Trojan’s most troubling function is a one-click APK builder that enables prospects to bundle the malicious payload inside reputable Google Play apps for distribution.
“By means of its management interface, an attacker can browse the whole Google Play Retailer catalogue and choose reputable apps to bundle with the Cellik payload,” iVerify’s Daniel Kelley stated. “With one click on, Cellik will generate a brand new malicious APK that wraps the RAT contained in the chosen reputable app.”
Frogblight, alternatively, has been discovered to focus on customers in Turkey by way of SMS phishing messages that trick recipients into putting in the malware underneath the pretext of viewing courtroom paperwork associated to a courtroom case they’re presupposed to be concerned in, Kaspersky stated.
Moreover stealing banking credentials utilizing WebViews, the malware can acquire SMS messages, name logs, an inventory of put in apps on the gadget, and gadget file system data. It could possibly additionally handle contacts and ship arbitrary SMS messages.
Frogblight is believed to be underneath energetic improvement, with the menace actor behind the instrument laying the groundwork for it to be distributed underneath a malware-as-a-service (MaaS) mannequin. This evaluation relies on the invention of an internet panel hosted on the C2 server and the truth that solely samples utilizing the identical key as the net panel login will be remotely managed via it.
Malware households like Cellik and Frogblight are a part of a rising development of Android malware, whereby even attackers with little to no technical experience can now run cellular campaigns at scale with minimal effort.
In current weeks, Android customers in India have additionally been focused by a malware dubbed NexusRoute that employs phishing portals impersonating the Indian authorities providers to redirect guests to malicious APKs hosted on GitHub repositories and GitHub Pages, whereas concurrently amassing their private and monetary data.
The bogus websites are designed to contaminate Android gadgets with a totally obfuscated distant entry trojan (RAT) that may steal cellular numbers, car information, UPI PINs, OTPs, and card particulars, in addition to harvest in depth information by abusing accessibility providers and prompting customers to set it because the default dwelling display screen launcher.
“Risk actors more and more weaponize authorities branding, fee workflows, and citizen service portals to deploy financially pushed malware and phishing assaults underneath the guise of legitimacy,” CYFIRMA stated. “The malware performs SMS interception, SIM profiling, contact theft, call-log harvesting, file entry, screenshot seize, microphone activation, and GPS monitoring.”
Additional evaluation of an embedded electronic mail deal with “gymkhana.studio@gmail[.]com” has linked NexusRoute to a broader underground improvement ecosystem, elevating the likelihood that it is a part of a professionally maintained, large-scale fraud and surveillance infrastructure.
“The NexusRoute marketing campaign represents a extremely mature, professionally engineered cellular cybercrime operation that mixes phishing, malware, monetary fraud, and surveillance right into a unified assault framework,” the corporate stated. “Using native-level obfuscation, dynamic loaders, automated infrastructure, and centralized surveillance management locations this marketing campaign nicely past the capabilities of widespread rip-off actors.”
