In the autumn of 2025, cybersecurity researchers tracking a surge of Android infections in Central Asia began to see a pattern that felt both familiar and unsettling: ordinary messages, familiar apps and routine updates were quietly being turned into conduits for large-scale financial theft.
A Campaign That Blended Into Everyday Digital Life
When researchers at Group-IB first detected a new wave of Android malware in Uzbekistan in October 2025, the initial indicators were unremarkable. Malicious files circulated through common messaging channels, often masquerading as benign updates or shared media. Yet the scope soon became clear. What appeared to be scattered incidents were in fact part of a coordinated campaign that reflected a maturing underground economy, one increasingly adept at blending fraud into everyday digital habits.
Uzbekistan, with its rapidly expanding smartphone use and reliance on SMS-based authentication for banking and government services, provided fertile ground. According to Group-IB, a single cybercriminal group behind the campaign generated more than $2 million in illicit revenue in 2025 alone. The figure underscored not only the financial impact, but also the operational efficiency of the attackers, who appeared to be refining their tools in near real time.
Unlike earlier malware outbreaks that relied on crude phishing or obvious malicious links, this campaign leaned on subtlety. Telegram, widely used and trusted, became the primary distribution channel. In many cases, compromised Telegram accounts—acquired through dark web marketplaces—were used to forward malware-laced messages automatically to contacts, creating a self-sustaining infection cycle that required little direct intervention from the attackers.
From Simple Stealers to Live Command-and-Control
At the center of the campaign was a newly identified malware family dubbed “Wonderland,” described by analysts as the most advanced Android SMS stealer yet observed in the region. Earlier generations of such malware were largely one-way tools, silently exfiltrating text messages and disappearing into the background. Wonderland marked a departure.
Using the WebSocket protocol, the malware established a bidirectional command-and-control channel, allowing operators to issue real-time instructions. This capability transformed infected phones into remotely managed assets. Attackers could intercept one-time passwords used for banking logins, forward calls, suppress security notifications, and even initiate USSD requests directly from the victim’s device.
The evolution was gradual but deliberate. Group-IB’s timeline shows early “rough samples” appearing in February 2025, followed by a phase of adaptation and refinement through the summer. By August, the malware had reached a level of polish that combined stealth, flexibility and resilience—attributes once associated mainly with high-end espionage tools, now repurposed for mass financial crime.
Dropper Apps and the Art of Staying Invisible
Distribution methods evolved alongside the malware itself. Rather than sending overtly malicious APK files, attackers increasingly relied on “droppers”—apps that appeared harmless but carried encrypted payloads within their assets. Some impersonated trusted services like Google Play updates; others posed as video or photo files. Once installed, these droppers unpacked and installed the final malware locally, sometimes without requiring an active internet connection.
This approach allowed the attackers to bypass many traditional security checks. Code obfuscation, sandbox and emulator detection, and frequent rotation of application names and package identifiers made signature-based detection unreliable. The command-and-control infrastructure was equally fluid, with domains changing regularly to frustrate takedown efforts.
Analysts identified multiple dropper families, including ones known as MidnightDat and RoundRift, each contributing incremental improvements to concealment and persistence. The result was a campaign that, while technically complex, presented a deceptively simple interface to users—often nothing more than a single “Update” button masking the malware’s installation.
Containment, Cleanup, and the Limits of User Vigilance
For defenders, the campaign highlighted familiar challenges. Many infections began with a moment of routine trust: a message from a known contact, a prompt that looked like a legitimate update. Once embedded, the malware’s ability to suppress alerts and intercept authentication codes meant victims often remained unaware until financial losses occurred.
Cybersecurity experts advising on the campaign emphasized practical countermeasures rather than technological silver bullets. Avoiding APK downloads from unofficial sources remains critical, as does close monitoring of device behavior for unexplained permissions or activity. Organizations, particularly banks and payment providers, are being urged to rely more heavily on behavioral fraud detection and real-time threat intelligence rather than SMS-based authentication alone.
In cases of suspected infection, the guidance is blunt. Disconnecting the device from the internet and performing a full factory reset is still considered the most reliable way to remove the malware. It is an unglamorous solution to a sophisticated problem, reflecting a broader reality: as mobile malware grows more advanced, the gap between attacker innovation and everyday user defenses continues to narrow.
