In October 2025, Group‑IB researchers uncovered a new wave of Android malware attacks primarily targeting users in Uzbekistan. The campaign marks a significant shift in the way cybercriminals distribute and operate mobile trojans.
Instead of sending “pure” malicious APKs, threat actors are now using droppers, seemingly harmless apps that silently install hidden payloads, even without an internet connection.
These droppers impersonate legitimate applications, such as Google Play, or fake video and photo files. Once installed, they unpack the embedded malware locally, bypassing traditional mobile security checks.
They use simple user interfaces, often just a fake “Update” button to mask any malicious actions. Group‑IB’s analysts identified multiple dropper families, including MidnightDat and RoundRift, which use encrypted payloads hidden in the app’s assets folder. The dropper automatically decrypts and installs the final malware via Android’s PackageInstaller.
Threat actors frequently rotate application names and package identifiers to evade signature-based detection.
Telegram remains the primary channel for distributing these APKs, often via stolen Telegram sessions acquired on dark web markets. Compromised accounts forward malware-laced messages to contacts, creating an automated infection cycle.
The most advanced discovery in this campaign is a new malware family named Wonderland, the first mass‑spreading Android SMS stealer in Uzbekistan to use bidirectional command‑and‑control (C2) communication.
Unlike earlier one‑way stealers that exfiltrated only SMS data, Wonderland uses the WebSocket protocol to receive real-time commands from its operators.
This allows it to execute arbitrary instructions such as sending SMS messages, running USSD requests, or hiding notifications directly from the attacker’s server.
This two‑way communication enables attackers to intercept one‑time passwords (OTPs) used for banking or authentication, forward calls, and even suppress security alerts.
Combined with strong code obfuscation, environment checks for sandbox or emulator detection, and a dynamic C2 infrastructure that frequently rotates domains, Wonderland demonstrates a significant leap in stealth and operational capability.
Group‑IB reports that a single cybercriminal group behind these operations generated more than $2 million in 2025, underscoring the campaign’s scale and efficiency.
To protect against such threats, cybersecurity experts urge users and organizations to monitor device activity closely, avoid downloading APKs from unofficial sources, and rely on fraud-detection and threat-intelligence tools.
If an infection is suspected, disconnecting the device from the internet and performing a factory reset remains the most effective remediation step.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
Android Users at Risk Wonderland Malware Exploits Bidirectional SMS to Intercept OTPs – Cyber Press
