Risk actors have been noticed leveraging malicious dropper apps masquerading as legit functions to ship an Android SMS stealer dubbed Wonderland in cell assaults concentrating on customers in Uzbekistan.
“Beforehand, customers acquired ‘pure’ Trojan APKs that acted as malware instantly upon set up,” Group-IB stated in an evaluation revealed final week. “Now, adversaries more and more deploy droppers disguised as legit functions. The dropper appears innocent on the floor however comprises a built-in malicious payload, which is deployed domestically after set up – even with out an energetic web connection.”
Wonderland (previously WretchedCat), in keeping with the Singapore-headquartered cybersecurity firm, facilitates bidirectional command-and-control (C2) communication to execute instructions in real-time, permitting for arbitrary USSD requests and SMS theft. It masquerades as Google Play, or information of different codecs, akin to movies, pictures, and marriage ceremony invites.
The financially motivated risk actor behind the malware, TrickyWonders, leverages Telegram as the first platform to coordinate numerous features of the operation. First found in November 2023, it is also attributed to 2 dropper malware households which can be designed to hide the first encrypted payload –
- MidnightDat (First seen on August 27, 2025)
- RoundRift (First seen on October 15, 2025)
Wonderland is especially propagated utilizing faux Google Play Retailer net pages, advert campaigns on Fb, bogus accounts on courting apps, and messaging apps like Telegram, with the attackers abusing stolen Telegram periods of Uzbek customers offered on darkish net markets to distribute APK information to victims’ contacts and chats.
As soon as the malware is put in, it good points entry to SMS messages and intercepts one-time passwords (OTPs), which the group makes use of to siphon funds from victims’ financial institution playing cards. Different capabilities embody retrieving cellphone numbers, exfiltrating contact lists, hiding push notifications to suppress safety or one-time password (OTP) alerts, and even sending SMS messages from contaminated units for lateral motion.
Nevertheless, it is value mentioning that sideloading the app first requires customers to allow a setting that permits set up from unknown sources. That is achieved by displaying an replace display screen that instructs them to “set up the replace to make use of the app.”
“When a sufferer installs the APK and gives the permissions, the attackers hijack the cellphone quantity and try to log into the Telegram account registered with that cellphone quantity,” Group-IB stated. “If the login succeeds, the distribution course of is repeated, making a cyclical an infection chain.”
Wonderland represents the newest evolution of cell malware in Uzbekistan, which has shifted from rudimentary malware akin to Ajina.Banker that relied on large-scale spam campaigns to extra obfuscated strains like Qwizzserial that had been discovered disguised as seemingly benign media information.
Using dropper functions is strategic because it causes them to seem innocent and evade safety checks. As well as, each the dropper and SMS stealer elements are closely obfuscated and incorporate anti-analysis methods to make them much more difficult and time-consuming to reverse engineer.
What’s extra, the usage of bidirectional C2 communication transforms the malware from a passive SMS stealer to an energetic remote-controlled agent that may execute arbitrary USSD requests issued by the server.
“The supporting infrastructure has additionally turn into extra dynamic and resilient,” the researchers stated. “Operators depend on quickly altering domains, every of which is used just for a restricted set of builds earlier than being changed. This method complicates monitoring, disrupts blacklist-based defenses, and will increase the longevity of command and management channels.”
The malicious APK builds are generated utilizing a devoted Telegram bot, which is then distributed by a class of risk actors known as staff in change for a share of the stolen funds. As a part of this effort, every construct is related to its personal C2 domains in order that any takedown try doesn’t convey down the complete assault infrastructure.
The prison enterprise additionally consists of group house owners, builders, and vbivers, who validate stolen card data. This hierarchical construction displays a brand new maturation of the monetary fraud operation.
“The brand new wave of malware growth within the area clearly demonstrates that strategies of compromising Android units usually are not simply turning into extra refined – they’re evolving at a fast tempo,” Group-IB stated. Attackers are actively adapting their instruments, implementing new approaches to distribution, concealment of exercise, and sustaining management over contaminated units.”
The disclosure coincides with the emergence of recent Android malware, akin to Cellik, Frogblight, and NexusRoute, which can be able to harvesting delicate data from compromised units.
Cellik, which is marketed on the darkish net for a beginning worth of $150 for one month or for $900 for a lifetime licence, is provided with real-time display screen streaming, keylogging, distant digicam/microphone entry, knowledge wiping, hidden net shopping, notification interception, and app overlays to steal credentials.
Maybe the Trojan’s most troubling function is a one-click APK builder that permits prospects to bundle the malicious payload inside legit Google Play apps for distribution.
“By its management interface, an attacker can browse the complete Google Play Retailer catalogue and choose legit apps to bundle with the Cellik payload,” iVerify’s Daniel Kelley stated. “With one click on, Cellik will generate a brand new malicious APK that wraps the RAT contained in the chosen legit app.”
Frogblight, then again, has been discovered to focus on customers in Turkey through SMS phishing messages that trick recipients into putting in the malware underneath the pretext of viewing courtroom paperwork associated to a courtroom case they’re presupposed to be concerned in, Kaspersky stated.
Apart from stealing banking credentials utilizing WebViews, the malware can gather SMS messages, name logs, an inventory of put in apps on the system, and system file system data. It could additionally handle contacts and ship arbitrary SMS messages.
Frogblight is believed to be underneath energetic growth, with the risk actor behind the instrument laying the groundwork for it to be distributed underneath a malware-as-a-service (MaaS) mannequin. This evaluation relies on the invention of an online panel hosted on the C2 server and the truth that solely samples utilizing the identical key as the net panel login will be remotely managed via it.
Malware households like Cellik and Frogblight are a part of a rising pattern of Android malware, whereby even attackers with little to no technical experience can now run cell campaigns at scale with minimal effort.
In latest weeks, Android customers in India have additionally been focused by a malware dubbed NexusRoute that employs phishing portals impersonating the Indian authorities providers to redirect guests to malicious APKs hosted on GitHub repositories and GitHub Pages, whereas concurrently gathering their private and monetary data.
The bogus websites are designed to contaminate Android units with a totally obfuscated distant entry trojan (RAT) that may steal cell numbers, automobile knowledge, UPI PINs, OTPs, and card particulars, in addition to harvest intensive knowledge by abusing accessibility providers and prompting customers to set it because the default house display screen launcher.
“Risk actors more and more weaponize authorities branding, cost workflows, and citizen service portals to deploy financially pushed malware and phishing assaults underneath the guise of legitimacy,” CYFIRMA stated. “The malware performs SMS interception, SIM profiling, contact theft, call-log harvesting, file entry, screenshot seize, microphone activation, and GPS monitoring.”
Additional evaluation of an embedded electronic mail handle “gymkhana.studio@gmail[.]com” has linked NexusRoute to a broader underground growth ecosystem, elevating the likelihood that it is a part of a professionally maintained, large-scale fraud and surveillance infrastructure.
“The NexusRoute marketing campaign represents a extremely mature, professionally engineered cell cybercrime operation that mixes phishing, malware, monetary fraud, and surveillance right into a unified assault framework,” the corporate stated. “Using native-level obfuscation, dynamic loaders, automated infrastructure, and centralized surveillance management locations this marketing campaign properly past the capabilities of widespread rip-off actors.”
