Full Report
Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan. "Previously, users received 'pure' Trojan APKs that acted as malware immediately upon installation," Group-IB said in an analysis published last week. "Now, adversaries increasingly deploy
Analysis Summary
# Tool/Technique: Wonderland (and Associated Droppers: MidnightDat, RoundRift)
## Overview
Wonderland is an Android SMS stealer malware that has evolved from simpler trojans into a sophisticated mobile threat utilizing dropper applications to deliver its payload. It focuses heavily on financial motives, targeting users in Uzbekistan by stealing SMS/OTPs for bank card siphonage. It also possesses Remote Access Trojan (RAT) capabilities via bidirectional C2 communication.
## Technical Details
- Type: Malware family (SMS Stealer / RAT)
- Platform: Android
- Capabilities: SMS interception/theft, OTP harvesting, arbitrary USSD request execution, contact list exfiltration, hiding push notifications, sending SMS messages, bidirectional C2, account hijacking (Telegram).
- First Seen: November 2023 (Wonderland); August 27, 2025 (MidnightDat dropper); October 15, 2025 (RoundRift dropper).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T14BC01 - Ingress Tool Transfer (via malicious APK distribution)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Heavily obfuscated components)
- T1445 - Screen Capture (Implied by notification hiding/general surveillance capabilities)
- **TA0008 - Collection**
- T1418 - Input Capture (SMS interception, OTP harvesting)
- T1417 - Data from Local System (Contacts list exfiltration)
- **TA0011 - Command and Control**
- T1489 - Dynamic Resolution (Implied by rapidly changing C2 domains)
## Functionality
### Core Capabilities
- **SMS Theft and OTP Harvesting:** Intercepts SMS messages, specifically targeting One-Time Passwords (OTPs) to drain victim bank funds.
- **Installation via Dropper:** Uses dropper apps (MidnightDat/RoundRift) disguised as legitimate files (Google Play, videos, photos) to hide the malicious payload, allowing for local deployment even offline.
- **Masquerading:** Disguises itself as legitimate applications (e.g., Google Play updates) to trick users into enabling sideloading permissions ("install the update to use the app").
- **Distribution Abuse:** Hijacks stolen Telegram sessions of Uzbek users to automatically distribute the APK to victim contacts.
- **Data Exfiltration:** Retrieves phone numbers and exfiltrates contact lists.
### Advanced Features
- **Bidirectional C2 Communication:** Functions as a true RAT, allowing for real-time command execution.
- **Arbitrary USSD Execution:** Can execute specific USSD requests issued remotely by the C2 server.
- **Notification Suppression:** Ability to hide push notifications, preventing users from seeing security alerts or incoming OTPs.
- **Anti-Analysis Techniques:** Both dropper and SMS stealer components are heavily obfuscated to complicate reverse engineering efforts.
- **Resilient Infrastructure:** Employs rapidly changing C2 domains for each set of builds, enhancing longevity and complicating blacklisting efforts.
- **Automated Build Generation:** Uses a dedicated Telegram bot to generate malicious APK builds, which are then distributed by "workers" in exchange for a cut of the illicit gains.
## Indicators of Compromise
- File Hashes: (Not provided in text)
- File Names: Malicious APKs disguised as Google Play updates, videos, photos, or wedding invitations.
- Registry Keys: (Not applicable/provided for Android)
- Network Indicators: Rapidly changing, ephemeral C2 domains used for limited sets of builds.
- Behavioral Indicators: Attempting to log into the Telegram account associated with the hijacked phone number immediately after installation and permission acquisition; executing arbitrary USSD commands.
## Associated Threat Actors
- TrickyWonders (The financially motivated threat actor behind the operation).
## Detection Methods
- Signature-based detection: Difficulty increased due to heavy obfuscation and rapidly changing C2 infrastructure.
- Behavioral detection: Monitoring for initiation of USSD requests originating from non-standard apps, hidden push notification requests, and attempts to hijack Telegram sessions post-installation.
- YARA rules: (Not provided in text, but would target the obfuscated payload characteristics).
## Mitigation Strategies
- **User Education:** Emphasizing the dangers of enabling "Install from Unknown Sources" and cautioning against suspicious updates or file requests presented outside official app stores.
- **App Source Control:** Restricting app installation only to the official Google Play Store.
- **C2 Monitoring:** Employing threat intelligence feeds to track and block newly registered, ephemeral domains used for C2 infrastructure.
- **Notification Review:** Training users to periodically check for unexpected or suppressed notifications.
## Related Tools/Techniques
- Ajina.Banker (Older, more rudimentary Android malware in the region).
- Qwizzserial (A predecessor that utilized file disguise techniques).
- Generic Android Dropper frameworks.