A complicated new Android malware household known as Wonderland has emerged as a major risk to customers in Uzbekistan and the broader Central Asia area.
The malware, which makes a speciality of stealing SMS messages and intercepting one-time passwords, represents a serious escalation in cellular threats focusing on monetary techniques.
First found in October 2025, this superior stealer demonstrates technical sophistication far past earlier regional malware variants.
The Wonderland malware operates by means of a multi-stage an infection chain that begins with seemingly innocent dropper purposes.
These droppers are disguised as respectable software program or media information, making them seem reliable to unsuspecting customers.
As soon as put in, the dropper silently extracts and deploys the precise SMS-stealing payload with out requiring extra consumer interplay.
Screenshots of letters or messages that impersonate official courtroom paperwork or summons (Supply – Group-IB)
This covert supply technique considerably will increase an infection success charges whereas evading conventional safety detection mechanisms.
What makes Wonderland significantly harmful is its use of superior evasion strategies. The malware contains built-in protections in opposition to evaluation, detecting when it runs on emulators, rooted units, or sandboxed environments.
When such circumstances are detected, the malware terminates instantly, stopping researchers from learning its conduct.
A collection of screenshots of a dropper malware masquerading as an app on Google Play (Supply – Group-IB)
Moreover, the code employs heavy obfuscation, together with lengthy strings of repetitive characters, which makes reverse engineering extraordinarily troublesome for safety analysts.
Group-IB analysts recognized and documented the malware’s capabilities by means of intensive analysis and risk intelligence gathering.
The researchers famous that Wonderland is the primary mass-spreading Android SMS stealer in Uzbekistan that helps true bidirectional command-and-control communication.
Not like earlier malware that operated in a one-way transmission mannequin, Wonderland implements the WebSocket protocol for steady two-way communication with attackers’ servers.
Bidirectional Command and Management Mechanism
The true innovation behind Wonderland lies in its command-and-control structure. The malware can obtain real-time instructions from attackers, enabling dynamic execution of dangerous actions.
It helps arbitrary USSD requests, enabling attackers to govern carrier-specific codes on the fly reasonably than counting on hardcoded values.
This flexibility permits attackers to allow name forwarding and execute superior fraud strategies.
The malware additionally sends arbitrary SMS messages and suppresses push notifications, successfully hiding safety alerts and OTPs throughout lively monetary fraud makes an attempt.
The technical implementation reveals a classy understanding of Android internals. The WebSocket connection maintains persistent communication, making a distant entry software reasonably than a easy information stealer.
Up to date community infrastructure (Supply – Group-IB)
When the malware detects incoming instructions, it processes them by means of a handler that interprets requests and executes corresponding operations on the compromised system.
Code obfuscation makes it extraordinarily difficult for analysts to determine particular command handlers.
Group-IB’s analysis signifies that legal teams working the malware infrastructure earned greater than $2 million in 2025 alone, underscoring the numerous real-world influence.
Malware distribution scheme on Telegram (Supply – Group-IB)
The malware is distributed primarily by way of Telegram, leveraging stolen consumer periods and social engineering ways to deceive victims.
Organizations and customers ought to implement complete safety monitoring and keep away from putting in purposes from untrusted sources to guard in opposition to this evolving risk.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
