top of page
perceptive_background_267k.jpg

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Published:

22 december 2025 om 06:11:00

Alert date:

22 december 2025 om 07:02:17

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware, Data Breach & Exfiltration

Threat actors are using malicious dropper apps disguised as legitimate applications to deliver the Wonderland Android SMS stealer malware in targeted attacks against users in Uzbekistan. The campaign represents an evolution from direct Trojan APK distribution to more sophisticated dropper-based delivery methods that combine SMS theft capabilities with Remote Access Trojan (RAT) functionality. Group-IB analysis reveals this multi-stage attack chain targeting mobile users through fake applications that act as delivery mechanisms for the underlying malware payload.

Technical details

Wonderland malware uses dropper applications to disguise malicious payloads within legitimate-looking apps. The malware facilitates bidirectional C2 communication for real-time command execution, SMS theft, and arbitrary USSD requests. It masquerades as Google Play or media files and is distributed via fake Play Store pages, Facebook ads, and Telegram. The operation includes MidnightDat and RoundRift dropper families. Cellik RAT offers screen streaming, keylogging, camera/microphone access, and one-click APK building. Frogblight targets Turkish users via SMS phishing and steals banking credentials using WebViews. NexusRoute uses phishing portals impersonating Indian government services and employs accessibility service abuse.

Mitigation steps:

Avoid enabling installation from unknown sources. Be cautious of fake app update screens requesting permissions. Verify app authenticity through official app stores only. Monitor SMS and banking notifications for suspicious activity. Implement endpoint detection for Android devices. Block known malicious domains and GitHub repositories hosting malicious APKs. Educate users about phishing tactics using government service impersonation.

Affected products:

Android devices
Google Play Store
Telegram
Banking applications
UPI payment systems

Related links:

https://www.group-ib.com/blog/mobile-malware-uzbekistan/
https://thehackernews.com/2024/09/new-android-malware-ajinabanker-steals.html
https://thehackernews.com/2025/07/mobile-security-alert-352-iconads-fraud.html
https://iverify.io/blog/meet-cellik---a-new-android-rat-with-play-store-integration
https://securelist.com/frogblight-banker/118440/
https://www.cyfirma.com/research/nexusroute-attempting-to-disrupt-an-indian-government-ministry/

Related CVE's:

Related threat actors:

IOC's:

gymkhana.studio@gmail[.]com, Wonderland malware (formerly WretchedCat), MidnightDat dropper, RoundRift dropper, Cellik RAT, Frogblight banker, NexusRoute RAT, Fake Google Play Store web pages, Malicious APK files hosted on GitHub repositories, Dynamic C2 domains

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page