Threat actors are increasingly employing sophisticated tactics to target mobile users in Uzbekistan, utilizing malicious dropper applications that masquerade as legitimate software. This trend has been highlighted in a recent analysis by Group-IB, which revealed the emergence of an Android SMS stealer known as Wonderland.
Malicious Tactics and Evolving Threats
In the past, users were often confronted with straightforward Trojan APKs that activated malware immediately upon installation. However, the landscape has shifted. Now, adversaries are deploying droppers that appear innocuous but harbor malicious payloads, which are activated locally post-installation, even without an internet connection.
Wonderland, previously identified as WretchedCat, facilitates bidirectional command-and-control (C2) communication, enabling real-time execution of commands, including arbitrary USSD requests and SMS theft. This malware cleverly disguises itself as Google Play or various file formats, such as videos and wedding invitations, to evade detection.
The financially motivated group behind this malware, known as TrickyWonders, utilizes Telegram as their primary coordination platform. First detected in November 2023, Wonderland is linked to two notable dropper families designed to obscure the primary encrypted payload:
- MidnightDat (First seen on August 27, 2025)
- RoundRift (First seen on October 15, 2025)
Propagation methods for Wonderland include the creation of counterfeit Google Play Store web pages, Facebook ad campaigns, and fake accounts on dating and messaging apps. The attackers exploit stolen Telegram sessions from Uzbek users, distributing APK files to victims’ contacts and chats.
Once installed, Wonderland gains access to SMS messages, intercepting one-time passwords (OTPs) to siphon funds from victims’ bank accounts. Its capabilities extend to retrieving phone numbers, exfiltrating contact lists, suppressing security alerts, and even sending SMS messages from compromised devices to facilitate lateral movement.
Users must enable a setting that permits installations from unknown sources to sideload the app, often prompted by a misleading update screen instructing them to “install the update to use the app.”
Upon installation, if a victim grants the necessary permissions, attackers can hijack the phone number and attempt to log into the associated Telegram account. A successful login initiates a cycle of infection, perpetuating the malware’s spread.
Strategic Evolution of Malware
Wonderland marks a significant evolution in mobile malware within Uzbekistan, transitioning from basic malware like Ajina.Banker, which relied on spam campaigns, to more sophisticated variants like Qwizzserial, cleverly disguised as benign media files.
The strategic use of dropper applications enhances the malware’s deceptive nature, allowing it to evade security checks. Both the dropper and SMS stealer components are heavily obfuscated, incorporating anti-analysis techniques that complicate reverse engineering efforts.
Moreover, the implementation of bidirectional C2 communication transforms Wonderland from a passive SMS stealer into an active agent capable of executing commands issued by the server.
Group-IB researchers noted that the supporting infrastructure has become increasingly dynamic and resilient, with operators relying on rapidly changing domains. Each domain is utilized for a limited set of builds before being replaced, complicating monitoring efforts and enhancing the longevity of command and control channels.
The malicious APKs are generated through a dedicated Telegram bot, distributed by a network of threat actors known as workers, who receive a share of the stolen funds. This organized structure reflects a maturation of the financial fraud operation, comprising group owners, developers, and validators of stolen card information.
As the malware landscape evolves, new strains such as Cellik, Frogblight, and NexusRoute have emerged, each capable of harvesting sensitive information from compromised devices. For instance, Cellik is marketed on the dark web, offering features such as real-time screen streaming, keylogging, and remote access to cameras and microphones.
Frogblight targets users in Turkey through SMS phishing, tricking them into installing malware under the guise of accessing court documents. It not only steals banking credentials but also collects SMS messages, call logs, and device information.
Meanwhile, NexusRoute has been observed targeting Android users in India, employing phishing portals that impersonate government services to redirect victims to malicious APKs. This malware can extract extensive personal and financial data, showcasing a troubling trend of weaponizing government branding and citizen service portals for financial gain.
As the sophistication of mobile malware continues to rise, it is evident that attackers are rapidly adapting their strategies, enhancing their tools, and refining their methods of distribution and concealment. This evolution underscores the pressing need for vigilant cybersecurity measures to combat the growing threat of mobile cybercrime.
