New Wonderland Android Malware with Bidirectional SMS-Stealing Capabilities Stealing OTPs

A sophisticated new Android malware family called Wonderland has emerged as a significant threat to users in Uzbekistan and the broader Central Asia region.

The malware, which specializes in stealing SMS messages and intercepting one-time passwords, represents a major escalation in mobile threats targeting financial systems.

First discovered in October 2025, this advanced stealer demonstrates technical sophistication far beyond previous regional malware variants.

The Wonderland malware operates through a multi-stage infection chain that begins with seemingly harmless dropper applications.

These droppers are disguised as legitimate software or media files, making them appear trustworthy to unsuspecting users.

Once installed, the dropper silently extracts and deploys the actual SMS-stealing payload without requiring additional user interaction.

This covert delivery method significantly increases infection success rates while evading traditional security detection mechanisms.

What makes Wonderland particularly dangerous is its use of advanced evasion techniques. The malware includes built-in protections against analysis, detecting when it runs on emulators, rooted devices, or sandboxed environments.

When such conditions are detected, the malware terminates immediately, preventing researchers from studying its behavior.

Additionally, the code employs heavy obfuscation, including long strings of repetitive characters, which makes reverse engineering extremely difficult for security analysts.

Group-IB analysts identified and documented the malware’s capabilities through extensive research and threat intelligence gathering.

The researchers noted that Wonderland is the first mass-spreading Android SMS stealer in Uzbekistan that supports true bidirectional command-and-control communication.

Unlike earlier malware that operated in a one-way transmission model, Wonderland implements the WebSocket protocol for continuous two-way communication with attackers’ servers.

Bidirectional Command and Control Mechanism

The real innovation behind Wonderland lies in its command-and-control architecture. The malware can receive real-time commands from attackers, enabling dynamic execution of harmful actions.

It supports arbitrary USSD requests, enabling attackers to manipulate carrier-specific codes on the fly rather than relying on hardcoded values.

This flexibility enables attackers to enable call forwarding and execute advanced fraud techniques.

The malware also sends arbitrary SMS messages and suppresses push notifications, effectively hiding security alerts and OTPs during active financial fraud attempts.

The technical implementation reveals a sophisticated understanding of Android internals. The WebSocket connection maintains persistent communication, creating a remote access tool rather than a simple data stealer.

When the malware detects incoming commands, it processes them through a handler that interprets requests and executes corresponding operations on the compromised device.

Code obfuscation makes it extremely challenging for analysts to identify specific command handlers.

Group-IB’s research indicates that criminal groups operating the malware infrastructure earned more than $2 million in 2025 alone, underscoring the significant real-world impact.

The malware is distributed primarily via Telegram, leveraging stolen user sessions and social engineering tactics to deceive victims.

Organizations and users should implement comprehensive security monitoring and avoid installing applications from untrusted sources to protect against this evolving threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.