Wonderland Unleashed: New Android “Dropper” Malware Hijacks Telegram to Drain Bank Accounts
Ddos 
A sophisticated wave of mobile malware is sweeping through Central Asia, marking a dangerous evolution in how cybercriminals target Android users. A new in-depth analysis by Group-IB reveals that threat actors in Uzbekistan have shifted tactics, moving away from simple malicious apps to advanced “droppers” and deploying a new, highly responsive malware family dubbed “Wonderland.”
Detecting this surge in October 2025, researchers noted that the region has become a testing ground for increasingly complex cyber weaponry.
The most significant change identified in the report is the method of delivery. Previously, attackers would try to trick users into installing a “pure” Trojan. Today, they use a “Trojan Horse” strategy known as a dropper.
“A key shift in attacker tactics is the transition from direct delivery of trojans to a more stealthy distribution model,” the report states.
These droppers are designed to evade immediate detection by security software. “The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation even without an active internet connection”. By masquerading as legitimate updates or harmless media files, the malware secures a foothold on the device before unleashing its true payload—often an SMS stealer designed to drain bank accounts.
Among the new threats, Wonderland stands out as the first mass-spreading Android SMS stealer in the region to feature bidirectional command-and-control (C2) communication. Unlike its predecessors, which merely collected data and sent it to a server, Wonderland enters a dialogue with its operators.
“Wonderland introduces a bidirectional command-and-control (C2) communication for real-time command execution, allowing for arbitrary USSD requests and SMS sending”.
This upgrade is significant because it allows attackers to adapt in real-time. They can execute arbitrary USSD requests (often used to manage phone services or check balances) and send SMS messages from the victim’s phone to spread the infection further. As the analysts noted, “This architecture transforms the malware from a passive data stealer into a remote-controlled agent”.
The distribution of these threats is heavily reliant on Telegram, the dominant messaging platform in Uzbekistan. Attackers are weaponizing the platform by using stolen sessions to send malware from trusted contacts.
“Telegram remains as a key distribution vector for Android SMS stealers in Uzbekistan,” the report confirms.
The scheme is cyclical: once a user installs the malware, the attackers hijack their Telegram account to forward the malicious APK to the victim’s contacts, perpetuating the cycle. They even utilize fake bots impersonating legitimate payment systems (like @HUMOcardbot) to harvest card details directly.
The report outlines a rapid maturation of malware development in the region, categorized into three rounds: “Warm Up,” “Adaptation,” and the “Current Situation.” The current phase is characterized by heavy obfuscation and anti-analysis techniques. The malware now actively checks if it is running in a research environment (sandbox) or on a rooted device, terminating immediately if it detects scrutiny.
Specific droppers like MidnightDat and RoundRift exemplify this sophistication. MidnightDat, for instance, uses a native library to decrypt a hidden payload, using custom XOR encryption and compression to hide the final malicious APK from static analysis tools.
Data from one cybercriminal group’s Telegram channel suggests that a single group generated more than $2 million in profits in 2025, confirming the lucrative nature of these attacks.
As the report concludes, this escalation proves that “methods of compromising Android devices are not just becoming more sophisticated – they are evolving at a rapid pace”.
Donate