Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Threat actors are now combining sophisticated droppers with SMS stealers like Wonderland and remote access trojans (RATs) in coordinated attacks targeting Android users, primarily in Uzbekistan. The Wonderland SMS stealer, formerly known as WretchedCat, allows bidirectional command-and-control communication for real-time execution of commands and data theft.

Why This Matters

Traditional malware distribution relied on direct delivery of malicious APKs, but attackers are shifting to droppers disguised as legitimate apps to evade detection. This evolution increases the success rate of attacks, as droppers bypass initial security checks, leading to significant financial losses; Uzbekistan has seen a surge in bank fraud linked to these techniques. The complexity of these operations—involving multiple actors and dynamic infrastructure—highlights a growing trend towards professionalized mobile malware development and deployment.

Key Insights

• MidnightDat & RoundRift (August 2025 & October 2025): Two dropper families used to conceal the Wonderland payload.
• Telegram as C2: Attackers leverage Telegram for coordination, distribution, and control of infected devices.
• Cellik Pricing (December 2025): Advertised on the dark web for $150/month or $900 for a lifetime license, demonstrating a commercialized malware ecosystem.

Practical Applications

• Use Case: Financial institutions in Uzbekistan are experiencing increased fraudulent transactions due to SMS-based OTP theft facilitated by Wonderland.
• Pitfall: Relying solely on signature-based detection is ineffective against rapidly evolving malware and obfuscation techniques used by groups like TrickyWonders.

References:

• https://thehackernews.com/2025/12/android-malware-operations-merge.html