Group-IB security researchers have uncovered a sophisticated new Android malware family dubbed “Wonderland” that represents a significant evolution in SMS-stealing threats targeting users across Uzbekistan.
Unlike previous regional malware that relied on straightforward one-way data exfiltration, Wonderland implements bidirectional WebSocket-based command-and-control communication, transforming infected devices into remotely controlled agents capable of executing arbitrary commands in real-time.
The malware campaign, tracked since October 2025, demonstrates a fundamental shift in attacker tactics.
Threat actors have abandoned direct Trojan distribution in favor of multi-stage infection chains using dropper applications disguised as legitimate software.
These droppers appear harmless during initial security scans, with malicious payloads encrypted and stored in the application’s assets folder.
Once installed, the dropper silently deploys the SMS stealer without requiring internet connectivity, significantly increasing infection success rates while evading traditional detection mechanisms.
Advanced Technical Capabilities
Wonderland’s most distinctive feature is its implementation of WebSocket protocol for real-time C2 communication.
Threat actors frequently change the package names of their malicious applications . In some cases even on a daily basis making name-based detection largely ineffective.
Alternative Telegram clients like Graph Messenger and Telegram X play crucial roles, with features allowing message forwarding to all contacts and SMS-based authentication that bypasses login restrictions.
This architecture enables operators to issue dynamic commands including arbitrary USSD requests, SMS message transmission, and notification suppression.
The command-handling code dispatches incoming instructions that allow attackers to enable call forwarding on-the-fly without requiring carrier-specific updates, providing unprecedented operational flexibility compared to earlier malware families like Ajina and Qwizzserial that used hardcoded USSD codes.
The malware incorporates sophisticated anti-analysis capabilities including emulator detection, root identification, and Frida instrumentation framework detection.
When security researchers or sandboxes attempt analysis, Wonderland immediately terminates its activities through the finish() method, preventing behavior observation and network traffic capture.
The codebase employs advanced obfuscation techniques that replace class and package names with long repetitive character strings, making manual analysis extremely challenging for security professionals.
Distribution Infrastructure Evolution
Group-IB researchers identified a distributed C2 infrastructure where threat actors require workers to register their own domains through a Telegram bot.
The bot provides nameservers that route traffic to the primary C2 server, creating resilience against takedowns. If authorities seize one domain, only builds associated with that specific domain become defunct while the main infrastructure remains operational.
Primary distribution occurs through compromised Telegram accounts purchased from darknet markets. Attackers utilize stolen sessions to forward malicious APKs from channels to victims’ “Saved Messages” using delayed-send functions, creating cyclical infection chains.
Data from tracked cybercriminal Telegram channels indicates a single group generated over $2 million in 2025, confirming the substantial financial impact of SMS stealer evolution in the region.
Group-IB Fraud Protection has developed detection rules targeting both dropper and SMS stealer components, with pattern-based identification capable of detecting new samples regardless of delivery method.
Security experts recommend organizations implement comprehensive monitoring strategies including behavioral detection, application allowlisting, and regular security awareness training focused on recognizing social engineering tactics specific to the Uzbekistan threat landscape.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.