Wonderland Android SMS stealer activity targeting Uzbekistan
Malware Activity
Summary
Hide ▲
Show ▼
The Wonderland Android SMS stealer is being spread through malicious droppers in attacks targeting users in Uzbekistan, enabling SMS and OTP theft and bank-card fraud. The malware uses bidirectional C2 to run commands, including arbitrary USSD requests, and it can also hijack Telegram accounts to widen distribution. Its operators disguise installers as legitimate apps and use fake Google Play pages, ads, and messaging lures to keep infections going.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
Asin Android spyware distribution through fake utility, PDF, and war-map apps
Malware Activity
H score22
First: 05.06.2026 17:53
Last: 05.06.2026 17:53
Sources 1
About this happening:
The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...
Asin Android spyware distribution through fake utility, PDF, and war-map apps
Malware ActivityAbout this happening: The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/Service
H score20
First: 03.06.2026 12:02
Last: 03.06.2026 12:02
Sources 1
About this happening:
**Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/ServiceAbout this happening: **Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
H score21
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor MetaAbout this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Timeline
-
22.12.2025 08:11 2 articles · 6mo ago
Wonderland Android SMS stealer disclosed targeting Uzbekistan
Initial DisclosureWonderland (formerly WretchedCat) is an Android SMS stealer used in mobile attacks targeting users in Uzbekistan, delivered through malicious dropper apps that masquerade as legitimate applications and can deploy a built-in payload locally after installation even without an active internet connection. The TrickyWonders operation uses Telegram to coordinate activity, distributes APKs through fake Google Play Store web pages, Facebook ad campaigns, bogus dating-app accounts, and stolen Telegram sessions, and relies on bidirectional C2 to issue real-time commands, steal SMS messages and OTPs, hijack Telegram accounts, send SMS from infected devices, and facilitate bank-card fraud.
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11