In a mobile attack targeting users in Uzbekistan, attackers were observed leveraging a malicious dropper app disguised as a legitimate application to deliver an Android SMS stealer called Wonderland.
“Until now, users received ‘pure’ Trojan APKs that functioned as malware as soon as they were installed,” Group-IB said in an analysis published last week. “Attackers are now increasingly deploying droppers disguised as legitimate applications. Droppers appear benign on the surface, but they contain a malicious payload and are deployed locally after installation, even without an active internet connection.”
According to the Singapore-based cybersecurity firm, Wonderland (formerly known as WretchedCat) facilitates two-way command-and-control (C2) communications for real-time command execution, enabling the theft of arbitrary USSD requests and SMS. It pretends to be a file from Google Play or other formats such as videos, photos, wedding invitations, etc.
TrickyWonders, the financially motivated attacker behind the malware, uses Telegram as its primary platform to coordinate various aspects of its operations. It was first discovered in November 2023 and is also believed to be due to two dropper malware families designed to hide the main encrypted payload.
MidnightDat (first seen on August 27, 2025) RoundRift (first seen on October 15, 2025)
Wonderland is primarily spread using fake Google Play Store web pages, Facebook ad campaigns, fake accounts on dating apps, and messaging apps such as Telegram, where attackers exploit stolen Telegram sessions of Uzbek users sold on dark web markets to distribute APK files to victims’ contacts and chats.
Once installed, the malware accesses SMS messages and intercepts one-time passwords (OTPs), which the group uses to siphon funds from victims’ bank cards. Other features include the ability to retrieve phone numbers, extract contact lists, hide push notifications to suppress security or one-time password (OTP) alerts, and even send SMS messages from infected devices for lateral movement.
However, it’s worth pointing out that in order to sideload an app, users must first enable a setting that allows installation from unknown sources. This is accomplished by displaying an update screen that instructs you to “Install updates to use the app.”
“Once the victim installs the APK and grants permissions, the attacker takes over the phone number and attempts to log into the Telegram account registered with that phone number,” Group-IB said. “Once the login is successful, the distribution process repeats, forming a periodic infection chain.”
Wonderland represents the latest evolution in mobile malware in Uzbekistan, moving from rudimentary malware like Ajina.Banker that relied on large-scale spam campaigns to more obfuscated malware like Qwizzserial, which was discovered disguised as a seemingly innocuous media file.
The use of dropper applications is strategic because it makes them appear harmless and evades security checks. Additionally, both the dropper and SMS stealer components are highly obfuscated and incorporate anti-analysis tricks that make reverse engineering more difficult and time-consuming.
Furthermore, the use of two-way C2 communication transforms the malware from a passive SMS stealer to an active remote control agent that can execute any USSD requests issued by the server.
“Supporting infrastructure also became more dynamic and resilient,” the researchers said. “Operators rely on rapidly changing domains, with each domain used for only a limited set of builds before being replaced. This approach complicates monitoring, confuses blacklist-based defenses, and increases the longevity of command and control channels.”
Malicious APK builds are generated using dedicated Telegram bots and distributed by a category of threat actors called workers in exchange for a portion of the stolen funds. As part of this effort, each build is associated with its own C2 domain, so takedown attempts do not bring down the entire attack infrastructure.
The criminal organization also includes group owners, developers, and vbivers who verify stolen card information. This hierarchy reflects the new maturity of financial fraud.
“The new wave of malware development in the region clearly shows that methods to compromise Android devices are not only becoming more sophisticated, but also rapidly evolving,” Group-IB said. Attackers are actively adapting their tools and implementing new approaches to distribution, hiding their activities, and maintaining control over infected devices. ”
This disclosure coincides with the emergence of new Android malware that can collect sensitive information from compromised devices, including Cellik, Frogblight, and NexusRoute.
Cellik is advertised on the dark web for $150 for a one-month license or $900 for a lifetime license, and features real-time screen streaming, keylogging, remote camera/microphone access, data erasure, hidden web browsing, notification interception, and an app overlay for credential stealing.
Perhaps the Trojan’s most troubling feature is its one-click APK builder that allows customers to bundle and distribute malicious payloads with legitimate Google Play apps.
“Through its control interface, an attacker can browse the entire Google Play Store catalog and select legitimate apps to bundle into the Cellik payload,” said iVerify’s Daniel Kelly. “With one click, Cellik generates a new malicious APK that wraps the RAT inside the legitimate app of your choice.”
Meanwhile, Frogblight was found to target users in Turkey through SMS phishing messages, tricking recipients into installing malware on the pretext of viewing court documents related to a court case in which the recipient was allegedly involved, Kaspersky said.
In addition to stealing banking credentials using WebView, the malware can also collect SMS messages, call logs, a list of apps installed on the device, and device file system information. You can also manage your contacts and send any SMS messages.
Frogblight is believed to be under active development, and the attackers behind the tool are laying the groundwork for it to be distributed under the Malware-as-a-Service (MaaS) model. This evaluation is based on the discovery of a web panel hosted on a C2 server and the fact that only samples using the same key as the web panel login can be remotely controlled through it.
Malware families such as Cellik and Frogblight are part of a growing trend in Android malware, allowing attackers with little or no technical expertise to run large-scale mobile campaigns with minimal effort.
In recent weeks, Android users in India have also been targeted by malware called NexusRoute. The malware uses a phishing portal that impersonates an Indian government service to redirect visitors to malicious APKs hosted on GitHub repositories and GitHub Pages, while collecting personal and financial information.
The fake site is designed to infect Android devices with a fully obfuscated remote access Trojan (RAT) that can steal mobile numbers, vehicle data, UPI PINs, OTPs, card details, and collect extensive data by abusing accessibility services and prompting users to set it as their default home screen launcher.
“Threat actors are increasingly weaponizing government branding, payment workflows, and citizen service portals to deploy financially motivated malware and phishing attacks under the guise of legitimacy,” CYFIRMA said. “The malware performs SMS interception, SIM profiling, contact theft, call log collection, file access, screenshot capture, microphone activation, and GPS tracking.”
Further analysis of the embedded email address “gymkhana.studio@gmail”[.]com’ links NexusRoute to a broader underground development ecosystem, raising the possibility that it is part of a larger, professionally maintained fraud and surveillance infrastructure.
“The NexusRoute campaign represents a highly mature and professionally designed mobile cybercrime operation that incorporates phishing, malware, financial fraud, and surveillance into an integrated attack framework,” the company said. “The use of native levels of obfuscation, dynamic loaders, automated infrastructure, and centralized monitoring controls puts this campaign well beyond the capabilities of typical fraudsters.”
Source link
