Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan.
“Previously, users received ‘pure’ Trojan APKs that acted as malware immediately upon installation,” Group-IB said in an analysis published last week. “Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation – even without an active internet connection.”
Wonderland (formerly WretchedCat), according to the Singapore-headquartered cybersecurity company, facilitates bidirectional command-and-control (C2) communication to execute commands in real-time, allowing for arbitrary USSD requests and SMS theft. It masquerades as Google Play, or files of other formats, such as videos, photos, and wedding invitations.
The financially motivated threat actor behind the malware, TrickyWonders, leverages Telegram as the primary platform to coordinate various aspects of the operation. First discovered in November 2023, it’s also attributed to two dropper malware families that are designed to conceal the primary encrypted payload –
- MidnightDat (First seen on August 27, 2025)
- RoundRift (First seen on October 15, 2025)
Wonderland is mainly propagated using fake Google Play Store web pages, ad campaigns on Facebook, bogus accounts on dating apps, and messaging apps like Telegram, with the attackers abusing stolen Telegram sessions of Uzbek users sold on dark web markets to distribute APK files to victims’ contacts and chats.
Once the malware is installed, it gains access to SMS messages and intercepts one-time passwords (OTPs), which the group uses to siphon funds from victims’ bank cards. Other capabilities include retrieving phone numbers, exfiltrating contact lists, hiding push notifications to suppress security or one-time password (OTP) alerts, and even sending SMS messages from infected devices for lateral movement.
However, it’s worth pointing out that sideloading the app first requires users to enable a setting that allows installation from unknown sources. This is accomplished by displaying an update screen that instructs them to “install the update to use the app.”
“When a victim installs the APK and provides the permissions, the attackers hijack the phone number and attempt to log into the Telegram account registered with that phone number,” Group-IB said. “If the login succeeds, the distribution process is repeated, creating a cyclical infection chain.”
Wonderland represents the latest evolution of mobile malware in Uzbekistan, which has shifted from rudimentary malware such as Ajina.Banker that relied on large-scale spam campaigns to more obfuscated strains like Qwizzserial that were found disguised as seemingly benign media files.
The use of dropper applications is strategic as it causes them to appear harmless and evade security checks. In addition, both the dropper and SMS stealer components are heavily obfuscated and incorporate anti-analysis tricks to make them a lot more challenging and time-consuming to reverse engineer.
What’s more, the use of bidirectional C2 communication transforms the malware from a passive SMS stealer to an active remote-controlled agent that can execute arbitrary USSD requests issued by the server.
“The supporting infrastructure has also become more dynamic and resilient,” the researchers said. “Operators rely on rapidly changing domains, each of which is used only for a limited set of builds before being replaced. This approach complicates monitoring, disrupts blacklist-based defenses, and increases the longevity of command and control channels.”
The malicious APK builds are generated using a dedicated Telegram bot, which is then distributed by a category of threat actors called workers in exchange for a share of the stolen funds. As part of this effort, each build is associated with its own C2 domains so that any takedown attempt does not bring down the entire attack infrastructure.
The criminal enterprise also includes group owners, developers, and vbivers, who validate stolen card information. This hierarchical structure reflects a new maturation of the financial fraud operation.
“The new wave of malware development in the region clearly demonstrates that methods of compromising Android devices are not just becoming more sophisticated – they are evolving at a rapid pace,” Group-IB said. Attackers are actively adapting their tools, implementing new approaches to distribution, concealment of activity, and maintaining control over infected devices.”
The disclosure coincides with the emergence of new Android malware, such as Cellik, Frogblight, and NexusRoute, that are capable of harvesting sensitive information from compromised devices.
Cellik, which is advertised on the dark web for a starting price of $150 for one month or for $900 for a lifetime licence, is equipped with real-time screen streaming, keylogging, remote camera/microphone access, data wiping, hidden web browsing, notification interception, and app overlays to steal credentials.
Perhaps the Trojan’s most troubling feature is a one-click APK builder that allows customers to bundle the malicious payload within legitimate Google Play apps for distribution.
“Through its control interface, an attacker can browse the entire Google Play Store catalogue and select legitimate apps to bundle with the Cellik payload,” iVerify’s Daniel Kelley said. “With one click, Cellik will generate a new malicious APK that wraps the RAT inside the chosen legitimate app.”
Frogblight, on the other hand, has been found to target users in Turkey via SMS phishing messages that trick recipients into installing the malware under the pretext of viewing court documents related to a court case they are purported to be involved in, Kaspersky said.
Besides stealing banking credentials using WebViews, the malware can collect SMS messages, call logs, a list of installed apps on the device, and device file system information. It can also manage contacts and send arbitrary SMS messages.
Frogblight is believed to be under active development, with the threat actor behind the tool laying the groundwork for it to be distributed under a malware-as-a-service (MaaS) model. This assessment is based on the discovery of a web panel hosted on the C2 server and the fact that only samples using the same key as the web panel login can be remotely controlled through it.
Malware families like Cellik and Frogblight are part of a growing trend of Android malware, wherein even attackers with little to no technical expertise can now run mobile campaigns at scale with minimal effort.
In recent weeks, Android users in India have also been targeted by a malware dubbed NexusRoute that employs phishing portals impersonating the Indian government services to redirect visitors to malicious APKs hosted on GitHub repositories and GitHub Pages, while simultaneously collecting their personal and financial information.
The bogus sites are designed to infect Android devices with a fully obfuscated remote access trojan (RAT) that can steal mobile numbers, vehicle data, UPI PINs, OTPs, and card details, as well as harvest extensive data by abusing accessibility services and prompting users to set it as the default home screen launcher.
“Threat actors increasingly weaponize government branding, payment workflows, and citizen service portals to deploy financially driven malware and phishing attacks under the guise of legitimacy,” CYFIRMA said. “The malware performs SMS interception, SIM profiling, contact theft, call-log harvesting, file access, screenshot capture, microphone activation, and GPS tracking.”
Further analysis of an embedded email address “gymkhana.studio@gmail[.]com” has linked NexusRoute to a broader underground development ecosystem, raising the possibility that it’s part of a professionally maintained, large-scale fraud and surveillance infrastructure.
“The NexusRoute campaign represents a highly mature, professionally engineered mobile cybercrime operation that combines phishing, malware, financial fraud, and surveillance into a unified attack framework,” the company said. “The use of native-level obfuscation, dynamic loaders, automated infrastructure, and centralized surveillance control places this campaign well beyond the capabilities of common scam actors.”
