SMS phishing Archives

AppWizard

December 25, 2025

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Threat actors in Uzbekistan are increasingly using sophisticated tactics to target mobile users, specifically through malicious dropper applications that appear as legitimate software. A recent analysis by Group-IB identified an Android SMS stealer called Wonderland, which was previously known as WretchedCat. Unlike traditional Trojan APKs that activate malware immediately upon installation, Wonderland utilizes droppers that activate malicious payloads locally after installation, even without an internet connection. Wonderland enables bidirectional command-and-control communication, allowing real-time execution of commands, including SMS theft and USSD requests. It disguises itself as Google Play or various file formats to evade detection. The financially motivated group behind this malware, TrickyWonders, uses Telegram for coordination and was first detected in November 2023. Wonderland is associated with two dropper families: MidnightDat and RoundRift. Propagation methods for Wonderland include counterfeit Google Play Store pages, Facebook ads, and fake accounts on dating apps. Attackers exploit stolen Telegram sessions from Uzbek users to distribute APK files. Once installed, Wonderland can access SMS messages, intercept one-time passwords, and siphon funds from victims' bank accounts. It can also retrieve phone numbers, exfiltrate contact lists, suppress security alerts, and send SMS messages from compromised devices. Users must enable installations from unknown sources to sideload the app, often misled by a fake update screen. If granted permissions, attackers can hijack the phone number and log into the associated Telegram account, perpetuating the malware's spread. Wonderland represents a significant evolution in mobile malware in Uzbekistan, moving from basic malware like Ajina.Banker to more sophisticated variants like Qwizzserial. The use of dropper applications enhances its deceptive nature, allowing it to evade security checks. Both the dropper and SMS stealer components are heavily obfuscated, complicating reverse engineering. The supporting infrastructure for Wonderland is dynamic, with rapidly changing domains complicating monitoring efforts. Malicious APKs are generated through a Telegram bot and distributed by a network of threat actors. New strains of malware, such as Cellik, Frogblight, and NexusRoute, have also emerged, each capable of harvesting sensitive information from compromised devices.

AppWizard

December 22, 2025

Frogblight Malware Targets Android Users With Fake Court and Aid Apps

A new Android-based Trojan named Frogblight is targeting mobile users in Turkiye to steal funds from bank accounts. Identified by Kaspersky's Securelist in August 2025, it spreads through smishing, where scammers send deceptive SMS messages about legal court cases or financial aid. These messages often include links to download malicious applications disguised as legitimate support tools. The malware, which can conceal itself and deactivate on simulated devices or within the U.S., requests extensive permissions to access SMS messages and device storage. Once installed, it opens a legitimate government website to appear credible and injects JavaScript to record keystrokes during banking logins. Recent versions have added keylogging, contact list theft, and private call log collection. The malware has evolved to disguise itself as the Google Chrome browser and other tools, and its source code is available on GitHub, indicating it may be marketed as malware-as-a-service. Kaspersky advises users to avoid downloading APK files from untrusted sources and to scrutinize app permission requests.

AppWizard

December 8, 2025

Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features

Cybersecurity researchers have identified two new families of Android malware, FvncBot and SeedSnatcher, as well as an upgraded version of ClayRat. FvncBot is designed to target mobile banking users in Poland, masquerading as a security application from mBank. It is built from scratch and includes features such as keylogging, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC). It uses a crypting service called apk0day and communicates with a remote server at naleymilva.it.com. FvncBot requests accessibility permissions to operate with elevated privileges and can perform various malicious activities, including exfiltrating data and delivering overlays on targeted applications. SeedSnatcher is disguised as a cryptocurrency wallet app called Coin and is distributed via Telegram. It focuses on stealing cryptocurrency wallet seed phrases and can intercept SMS messages to capture two-factor authentication codes. It employs techniques like dynamic class loading and WebView content injection to evade detection and initially requests minimal permissions before escalating its access. The upgraded ClayRat malware now exploits accessibility services and default SMS permissions, allowing it to record keystrokes, capture screen content, and present deceptive overlays. It has been distributed through fraudulent phishing domains and dropper apps that impersonate legitimate services. The enhanced capabilities of ClayRat enable complete device takeovers and persistent overlays, making it a more significant threat than its previous version.

Tech Optimizer

November 7, 2025

Herodotus Android Banking Malware Takes Full Control Of Device Evading Antivirus

A banking trojan named Herodotus targets Android users globally, operating as Malware-as-a-Service and disguising itself as a legitimate app to lure users into downloading an APK from unofficial sources. Once installed, it gains critical system permissions to perform banking operations on behalf of the user. The malware is primarily distributed through SMS phishing campaigns that lead victims to fraudulent download pages. Herodotus employs overlay attacks to steal credentials and hijack sessions, posing a significant threat to financial security. It uses advanced evasion tactics, including random delays and realistic typing patterns, to avoid detection by traditional antivirus solutions. The trojan captures screen content and keystrokes, allowing real-time monitoring of user activity. Detection is complicated as Herodotus circumvents defenses by installing from unknown sources and executing harmful actions only after obtaining user permissions. Effective defense requires recognizing multiple indicators of compromise, such as suspicious SMS links and behavioral anomalies, which traditional antivirus protection often overlooks.

Tech Optimizer

November 7, 2025

Herodotus Android Banking Trojan Takes Over Devices, Outsmarts Security Tools

A new Android banking Trojan named Herodotus has emerged, operating under the Malware-as-a-Service (MaaS) model and causing significant disruptions in the mobile banking sector. It primarily spreads through SMS phishing campaigns that disguise malicious links as legitimate messages, leading users to counterfeit web pages to download an APK file outside the official Play Store. Upon installation, Herodotus requests critical permissions, including Accessibility, allowing it to overlay fake screens on real banking apps and capture user data. The malware employs deceptive behaviors to evade detection by traditional antivirus solutions, which often fail to recognize it due to their reliance on signature-based and behavior-driven databases. Research indicates that antivirus providers have overlooked the Herodotus threat, highlighting the need for multilayered defense mechanisms. Pradeo’s Mobile Threat Defense (MTD) solution offers continuous monitoring of device behavior, proactive blocking of phishing links, and alerts for risky off-store installations, effectively neutralizing threats before they escalate.

Tech Optimizer

October 29, 2025

Talk about geriatric – This devious Android malware escapes detection by typing like an old person

Herodotus malware mimics human typing patterns to evade detection by traditional antivirus systems. It spreads through SMS phishing, tricking users into downloading it, and installs silently by using deceptive screens and bypassing permission requests. Cybersecurity researchers recommend Android users activate Google Play Protect and avoid downloading apps from unofficial sources to enhance their defenses against this threat.