Android Malware Campaigns Targeting Banking and Messaging Apps
A surge in Android malware campaigns has been observed across multiple regions, with attackers leveraging sophisticated droppers and SMS stealers to compromise user devices and drain bank accounts. Notably, the Wonderland dropper malware has been identified as hijacking Telegram sessions to facilitate unauthorized banking transactions, while other malware families such as Frogblight, NexusRoute, and Ajina.Banker are also implicated in recent attacks. These campaigns often distribute malicious APKs disguised as legitimate applications, with infection vectors including sideloading and direct delivery via messaging platforms like Telegram.
In Uzbekistan, threat groups such as TrickyWonders, Blazefang, and Ajina have been linked to a wave of attacks using SMS stealer malware, exploiting Telegram's popularity to propagate infections and steal credentials. Security researchers have highlighted the evolving tactics of these actors, including the use of AES-based droppers and multi-stage payloads, underscoring the persistent threat posed by Android-targeted malware in both financial and personal data theft.
Timeline
Dec 23, 2025
Researchers disclose Wonderland Android dropper using Telegram for C2
By December 23, 2025, reporting described Wonderland as a newly discovered Android dropper that used Telegram as a command-and-control channel. The malware was said to hijack devices, support unauthorized access to bank accounts, and use evasion techniques to maintain persistence and avoid detection.
Dec 22, 2025
AhnLab reports Wonderland among notable Android threats of mid-December
AhnLab ASEC published its weekly mobile threat roundup on December 22, 2025, highlighting Android malware activity for the third week of December. The report identified Wonderland, Frogblight, and NexusRoute as notable threats observed during the period.
Dec 19, 2025
Group-IB publicly describes the Uzbekistan Android malware wave
On December 19, 2025, Group-IB publicly disclosed details of the Android SMS-stealer campaign affecting Telegram users in Uzbekistan. The report highlighted multiple malware families, improved distribution and obfuscation, and guidance for users to monitor suspicious activity and reset infected devices.
Oct 1, 2025
Attackers adopt stealthier Android droppers to evade detection
During the Uzbekistan campaign, researchers observed attackers shifting to seemingly benign droppers that embedded stealers, along with anti-analysis techniques and frequent rotation of domains and package names. Group-IB characterized this as a significant increase in the operation's maturity and infection effectiveness.
Oct 1, 2025
Android SMS-stealer campaign begins targeting Telegram users in Uzbekistan
Group-IB said a new wave of Android SMS-stealer activity targeting Telegram users in Uzbekistan began in October 2025. Multiple threat groups used Telegram-based social engineering to distribute malicious APKs that stole credentials and money and spread via victims' contacts.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
Related Stories
Android Malware Leveraging Legitimate Apps for Surveillance and Theft
Threat actors have increasingly adopted sophisticated techniques to distribute Android malware by disguising malicious applications as legitimate ones on the Google Play Store and other platforms. Notably, the new Cellik Android RAT has been identified as turning legitimate Google Play apps into surveillance tools, enabling attackers to covertly monitor and exfiltrate sensitive user data. In parallel, operations involving the Wonderland SMS stealer have merged dropper, SMS theft, and RAT capabilities at scale, with attackers using fake Google Play Store pages, ad campaigns, and messaging apps to propagate malware, particularly targeting users in Uzbekistan. These campaigns often leverage Telegram for coordination and distribution, and employ advanced methods such as intercepting OTPs and exfiltrating contact lists to facilitate financial theft and evade detection. The evolution of Android malware now includes the use of droppers that appear harmless but deploy malicious payloads locally after installation, even without an active internet connection. The Wonderland malware, attributed to the TrickyWonders group, demonstrates bidirectional command-and-control communication, allowing real-time execution of commands and theft of SMS messages. The convergence of these techniques highlights a growing trend in mobile threat operations, where attackers exploit the trust in legitimate app platforms and social engineering to compromise devices, steal credentials, and siphon funds from victims' bank accounts.
1 months ago
Emergence of Advanced Android Malware Targeting SMS and Financial Data in Central Asia and Turkey
A new wave of sophisticated Android malware has been identified, targeting users in Central Asia and Turkey with the aim of stealing SMS messages, intercepting one-time passwords (OTPs), and draining bank accounts. The Wonderland malware, discovered in Uzbekistan and neighboring regions, employs multi-stage infection chains using dropper apps disguised as legitimate software. Once installed, Wonderland silently deploys its SMS-stealing payload, leveraging advanced evasion techniques such as emulator and sandbox detection, as well as heavy code obfuscation, to avoid analysis and detection by security tools. In Turkey, the Frogblight malware has been spreading through smishing campaigns that impersonate court summons or social aid notifications, tricking users into installing malicious apps. These apps, often named to mimic official government services, request extensive permissions to access SMS and storage, enabling the theft of sensitive information. Frogblight also demonstrates anti-analysis features, shutting down if it detects a fake phone or a device located in the United States. Both malware families represent a significant escalation in mobile threats, particularly in their ability to bypass traditional security measures and target financial data through sophisticated social engineering and technical means.
1 months ago
Android Malware Campaigns Targeting Indian Users and Banking Apps
Researchers have identified new Android malware campaigns targeting users in India, with a focus on financial fraud and surveillance. The NexusRoute remote access trojan (RAT) was discovered impersonating the Indian e-Challan app and leveraging GitHub for distribution, enabling attackers to conduct UPI fraud and monitor victims' activities. In a separate but related campaign, the FvncBot Android banking trojan masquerades as a legitimate banking-security application, exploiting accessibility and VNC features to capture keystrokes, stream device screens, and inject fraudulent transactions directly from compromised devices. Both malware strains are notable for their ability to operate within genuine banking apps, allowing them to bypass traditional security checks and evade detection. These campaigns highlight the increasing sophistication of mobile threats in India, particularly those targeting financial transactions and personal data. Security experts recommend minimizing app permissions, sourcing apps only from trusted platforms, and implementing real-time behavioral monitoring to mitigate the risks posed by such advanced mobile malware.
1 months ago