Threat actors have been employing malicious dropper apps that impersonate legitimate applications to deliver an Android SMS stealer known as Wonderland, targeting users in Uzbekistan. According to an analysis from Group-IB, users previously received Trojan APKs that would activate upon installation. However, now adversaries are increasingly using droppers that appear harmless on the surface, which secretly contain a malicious payload activated post-installation, even without an internet connection.
Wonderland, originally called WretchedCat, enables bidirectional command-and-control (C2) communication, allowing attackers to issue commands in real-time, facilitating SMS theft and arbitrary USSD requests. The malware masquerades as various file formats like videos or wedding invitations, further obscuring its malicious nature.
Operated by the financially motivated group TrickyWonders, which primarily uses Telegram for coordination, Wonderland was first identified in November 2023. This operation utilizes two other dropper families designed to conceal the primary payload—MidnightDat and RoundRift.
Distribution of Wonderland mainly occurs through fake Google Play Store pages, ad campaigns on Facebook, bogus accounts on dating apps, and exploiting stolen Telegram sessions from Uzbek users. This allows the attackers to propagate APK files to victims’ contacts through chat platforms.
Once installed, the malware gains access to SMS messages and captures one-time passwords (OTPs), which the attackers use to drain funds from victims’ bank accounts. Additionally, it can retrieve phone numbers, exfiltrate contact lists, suppress security alerts, and send SMS messages from compromised devices for lateral movements.
For the installation process, users must enable installation from unknown sources, prompted by an update screen requesting permission to operate the app. As Group-IB explains, once the APK is installed and permissions granted, the attackers hijack the phone number to attempt a login into the registered Telegram account. If successful, this initiates a cycle of infection.
Wonderland illustrates the evolution of mobile malware in Uzbekistan, moving from simpler forms like Ajina.Banker, which relied on widespread spam campaigns, to more sophisticated methods involving obfuscation and deceptive distribution strategies such as disguised medial files.
The use of dropper applications is strategic, making malware appear benign and allowing it to evade security measures. Both the dropper itself and the SMS theft capabilities are heavily obfuscated, employing anti-analysis techniques that complicate reverse engineering efforts.
Moreover, the implementation of bidirectional C2 communication transforms the malware from merely a passive SMS thief to an active agent capable of executing server-issued commands dynamically.
Researchers have also noted that the supporting infrastructure has become more adaptive, with operators using rapidly changing domains that complicate monitoring and disrupt blacklist defenses, thereby extending the operational life of their command channels.
The malicious APKs are produced via a dedicated Telegram bot and distributed by a network of threat actors who act as "workers," earning a percentage of the stolen funds. This operation also involves a hierarchy among the criminals, including group leaders, developers, and validators of stolen card information, indicating a maturation in the sophistication of their financial fraud schemes.
The trend of evolving Android malware, evidenced by campaigns like Wonderland, highlights the rapid pace at which malware distribution methods are becoming more complex and deceptive, adapting to circumvent current cybersecurity defenses.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.