Threat actors are actively leveraging malicious dropper applications disguised as legitimate apps to distribute an Android SMS stealer known as Wonderland in mobile attacks targeting users in Uzbekistan.
Shift From Direct Trojans to Stealthy Droppers
“Previously, users received ‘pure’ Trojan APKs that acted as malware immediately upon installation,” Group-IB said in an analysis published last week. “Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation – even without an active internet connection.”
This shift highlights a deliberate move toward stealth, as attackers now prioritize deception and persistence over immediate execution.
Wonderland (formerly WretchedCat), according to the Singapore-headquartered cybersecurity company, facilitates bidirectional command-and-control (C2) communication that enables attackers to execute commands in real time. As a result, operators can issue arbitrary USSD requests and steal SMS messages. The malware frequently masquerades as Google Play or as files in other formats, including videos, photos, and wedding invitations, to lure victims into installation.
Threat Actor Operations and Dropper Infrastructure
The financially motivated threat actor behind the malware, TrickyWonders, relies on Telegram as the primary platform to coordinate multiple aspects of the operation. First identified in November 2023, the actor also operates two dropper malware families designed to conceal the primary encrypted payload:
- MidnightDat (First seen on August 27, 2025)
- RoundRift (First seen on October 15, 2025)
Meanwhile, attackers mainly propagate Wonderland through fake Google Play Store web pages, Facebook ad campaigns, fraudulent dating app profiles, and messaging platforms such as Telegram. In addition, they abuse stolen Telegram sessions belonging to Uzbek users—purchased on dark web marketplaces—to distribute malicious APK files directly to victims’ contacts and chat groups.
Once installed, the malware immediately gains access to SMS messages and intercepts one-time passwords (OTPs). The group then uses these credentials to siphon funds from victims’ bank cards. Beyond that, Wonderland retrieves phone numbers, exfiltrates contact lists, hides push notifications to suppress security or OTP alerts, and sends SMS messages from infected devices to enable lateral movement.
Social Engineering and Sideloading Abuse
However, attackers must first convince users to sideload the app by enabling installation from unknown sources. To achieve this, they display an update screen instructing users to “install the update to use the app.”
“When a victim installs the APK and provides the permissions, the attackers hijack the phone number and attempt to log into the Telegram account registered with that phone number,” Group-IB said. “If the login succeeds, the distribution process is repeated, creating a cyclical infection chain.”
Evolution of Mobile Malware in Uzbekistan
Wonderland marks the latest stage in the evolution of mobile malware targeting Uzbekistan. Earlier threats, such as Ajina.Banker, relied heavily on large-scale spam campaigns, while newer strains like Qwizzserial adopted heavier obfuscation and disguised themselves as seemingly benign media files.
Attackers strategically use dropper applications because they appear harmless and evade many security checks. Furthermore, both the dropper and SMS stealer components employ heavy obfuscation and anti-analysis techniques, significantly increasing the effort required to reverse engineer them.
More importantly, bidirectional C2 communication transforms Wonderland from a passive SMS stealer into an active, remotely controlled agent capable of executing arbitrary USSD requests issued by the server.
“The supporting infrastructure has also become more dynamic and resilient,” the researchers said. “Operators rely on rapidly changing domains, each of which is used only for a limited set of builds before being replaced. This approach complicates monitoring, disrupts blacklist-based defenses, and increases the longevity of command and control channels.”
To support this model, attackers generate malicious APK builds through a dedicated Telegram bot. Workers then distribute these builds in exchange for a share of the stolen funds. Notably, each build uses unique C2 domains, ensuring that takedown efforts do not disrupt the broader infrastructure.
The criminal operation also includes group owners, developers, and vbivers responsible for validating stolen card information. This layered hierarchy underscores the growing maturity of the financial fraud ecosystem.
“The new wave of malware development in the region clearly demonstrates that methods of compromising Android devices are not just becoming more sophisticated – they are evolving at a rapid pace,” Group-IB said. “Attackers are actively adapting their tools, implementing new approaches to distribution, concealment of activity, and maintaining control over infected devices.”
Broader Surge in Android Malware
At the same time, researchers have observed the emergence of additional Android malware families, including Cellik, Frogblight, and NexusRoute, all capable of harvesting sensitive data from compromised devices.
Cellik, advertised on dark web forums for $150 per month or $900 for a lifetime license, offers real-time screen streaming, keylogging, remote camera and microphone access, data wiping, hidden browsing, notification interception, and credential-stealing overlays.
Perhaps most concerning, the Trojan includes a one-click APK builder that allows customers to embed the malicious payload into legitimate Google Play apps.
“Through its control interface, an attacker can browse the entire Google Play Store catalogue and select legitimate apps to bundle with the Cellik payload,” iVerify’s Daniel Kelley said. “With one click, Cellik will generate a new malicious APK that wraps the RAT inside the chosen legitimate app.”
Meanwhile, Frogblight targets users in Turkey through SMS phishing messages that impersonate court notifications and trick recipients into installing malware, according to Kaspersky. In addition to stealing banking credentials via WebViews, the malware collects SMS messages, call logs, installed app lists, and file system data, while also managing contacts and sending arbitrary SMS messages.
Researchers believe Frogblight remains under active development, with its operator preparing a Malware-as-a-service (MaaS) offering. This conclusion stems from the discovery of a web panel hosted on the C2 server and the restriction that only samples using the same Encryption key as the panel can receive remote commands.
NexusRoute and Government-Themed Lures
In recent weeks, Attackers have also targeted Android users in India with a malware strain dubbed NexusRoute. This campaign uses Phishing portals Impersonating Indian government services to Redirect victims to Malicious APKs hosted on GitHub Repositories and GitHub Pages, while simultaneously Harvesting personal and financial information.
These fake sites deliver a fully Obfuscated remote access trojan (RAT) capable of stealing mobile numbers, vehicle data, UPI PINs, OTPs, and card details. The malware also abuses Accessibility services and prompts victims to set it as the default home screen Launcher to Maximize data collection.
“Threat actors increasingly weaponize government branding, payment workflows, and citizen service portals to deploy financially driven malware and phishing attacks under the guise of legitimacy,” CYFIRMA said. “The malware performs SMS interception, SIM profiling, contact theft, call-log harvesting, file access, screenshot capture, microphone activation, and GPS tracking.”
Further investigation of the Embedded email address “gymkhana.studio@gmail[.]com” has linked NexusRoute to a broader underground development ecosystem, suggesting ties to a Professionally maintained fraud and surveillance operation.
“The NexusRoute campaign represents a highly mature, professionally engineered mobile cybercrime operation that combines phishing, malware, financial fraud, and surveillance into a unified attack framework,” the company said. “The use of native-level obfuscation, dynamic loaders, automated infrastructure, and centralized surveillance control places this campaign well beyond the capabilities of common scam actors.”
Source: TheHackerNews
Read more at Impreza News
