Wonderland Android SMS stealer activity targeting Uzbekistan
Malware Activity
Summary
Hide ▲
Show ▼
The Wonderland Android SMS stealer is being spread through malicious droppers in attacks targeting users in Uzbekistan, enabling SMS and OTP theft and bank-card fraud. The malware uses bidirectional C2 to run commands, including arbitrary USSD requests, and it can also hijack Telegram accounts to widen distribution. Its operators disguise installers as legitimate apps and use fake Google Play pages, ads, and messaging lures to keep infections going.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Perseus Android malware family actively distributed in the wild
Malware Activity
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
Perseus Android malware family actively distributed in the wild
Malware ActivityAbout this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
BeatBanker Android phishing campaign targeting Brazilian users
Campaign
First: 12.03.2026 09:56
Last: 12.03.2026 09:56
Sources 1
About this happening:
A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...
BeatBanker Android phishing campaign targeting Brazilian users
CampaignAbout this happening: A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...
Fake Google Account security page PWA phishing campaign
Campaign
First: 02.03.2026 22:23
Last: 02.03.2026 22:23
Sources 1
About this happening:
A **phishing campaign** is using a **fake Google Account security page** and a **Progressive Web App (PWA)** to steal **one-time passcodes**, harvest **cryptocurrency wallet addre...
Fake Google Account security page PWA phishing campaign
CampaignAbout this happening: A **phishing campaign** is using a **fake Google Account security page** and a **Progressive Web App (PWA)** to steal **one-time passcodes**, harvest **cryptocurrency wallet addre...
Timeline
-
22.12.2025 08:11 2 articles · 5mo ago
Wonderland Android SMS stealer disclosed targeting Uzbekistan
Initial DisclosureWonderland (formerly WretchedCat) is an Android SMS stealer used in mobile attacks targeting users in Uzbekistan, delivered through malicious dropper apps that masquerade as legitimate applications and can deploy a built-in payload locally after installation even without an active internet connection. The TrickyWonders operation uses Telegram to coordinate activity, distributes APKs through fake Google Play Store web pages, Facebook ad campaigns, bogus dating-app accounts, and stolen Telegram sessions, and relies on bidirectional C2 to issue real-time commands, steal SMS messages and OTPs, hijack Telegram accounts, send SMS from infected devices, and facilitate bank-card fraud.
Show sources
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11
- Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale — thehackernews.com — 22.12.2025 08:11