Find notable cyber news and cases, enriched with sources, timelines, and signals.

Wonderland Android SMS stealer activity targeting Uzbekistan

Malware Activity
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

The Wonderland Android SMS stealer is being spread through malicious droppers in attacks targeting users in Uzbekistan, enabling SMS and OTP theft and bank-card fraud. The malware uses bidirectional C2 to run commands, including arbitrary USSD requests, and it can also hijack Telegram accounts to widen distribution. Its operators disguise installers as legitimate apps and use fake Google Play pages, ads, and messaging lures to keep infections going.

Related Happenings

RedWing Android spyware rented through Telegram

Malware Activity
H score21 First: 08.07.2026 18:30 Last: 08.07.2026 18:30 Sources 1

About this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...

Asin Android spyware distribution through fake utility, PDF, and war-map apps

Malware Activity
H score22 First: 05.06.2026 17:53 Last: 05.06.2026 17:53 Sources 1

About this happening: The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...

Google rolls out Android fake call detection against AI impersonation scam calls

Security Tool/Service
H score20 First: 03.06.2026 12:02 Last: 03.06.2026 12:02 Sources 1

About this happening: **Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta
H score21 First: 29.05.2026 00:10 Last: 29.05.2026 00:10 Sources 1

About this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
H score25 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...

Timeline

  1. 22.12.2025 08:11 2 articles · 6mo ago

    Wonderland Android SMS stealer disclosed targeting Uzbekistan

    Initial Disclosure

    Wonderland (formerly WretchedCat) is an Android SMS stealer used in mobile attacks targeting users in Uzbekistan, delivered through malicious dropper apps that masquerade as legitimate applications and can deploy a built-in payload locally after installation even without an active internet connection. The TrickyWonders operation uses Telegram to coordinate activity, distributes APKs through fake Google Play Store web pages, Facebook ad campaigns, bogus dating-app accounts, and stolen Telegram sessions, and relies on bidirectional C2 to issue real-time commands, steal SMS messages and OTPs, hijack Telegram accounts, send SMS from infected devices, and facilitate bank-card fraud.

    Show sources