RoundRift

RoundRift is an AES-based Android dropper malware family first seen on October 15, 2025. It has been observed in a large-scale malware campaign targeting users in Uzbekistan, particularly Telegram users, and is used to conceal and deliver the encrypted payload of the Wonderland SMS stealer. Group-IB reported that RoundRift masquerades as a legitimate application, including fake Google Play Store apps, popular Uzbek apps, or lure content such as videos and invitations, and is distributed as sideloaded APKs via Telegram and related social-engineering channels. The campaign has been attributed in reporting to multiple threat groups active in Uzbekistan-focused Android fraud operations, including TrickyWonders. RoundRift is part of a shift from directly distributed stealers to seemingly benign droppers that embed the stealer deeper inside, helping samples pass standard security checks and delaying detection. Reported behaviors in the broader campaign include heavy obfuscation, anti-analysis and anti-sandboxing functions, deceptive uninstall prompts, and frequent rotation of package names and infrastructure domains. Its role is to hide the primary encrypted payload rather than act as the final stealer itself. The associated activity targets Android users in Uzbekistan and supports financially motivated theft operations involving SMS/OTP interception, Telegram account compromise, and unauthorized financial transactions through the delivered payload.