Android Malware Leveraging Legitimate Apps for Surveillance and Theft
Threat actors have increasingly adopted sophisticated techniques to distribute Android malware by disguising malicious applications as legitimate ones on the Google Play Store and other platforms. Notably, the new Cellik Android RAT has been identified as turning legitimate Google Play apps into surveillance tools, enabling attackers to covertly monitor and exfiltrate sensitive user data. In parallel, operations involving the Wonderland SMS stealer have merged dropper, SMS theft, and RAT capabilities at scale, with attackers using fake Google Play Store pages, ad campaigns, and messaging apps to propagate malware, particularly targeting users in Uzbekistan. These campaigns often leverage Telegram for coordination and distribution, and employ advanced methods such as intercepting OTPs and exfiltrating contact lists to facilitate financial theft and evade detection.
The evolution of Android malware now includes the use of droppers that appear harmless but deploy malicious payloads locally after installation, even without an active internet connection. The Wonderland malware, attributed to the TrickyWonders group, demonstrates bidirectional command-and-control communication, allowing real-time execution of commands and theft of SMS messages. The convergence of these techniques highlights a growing trend in mobile threat operations, where attackers exploit the trust in legitimate app platforms and social engineering to compromise devices, steal credentials, and siphon funds from victims' bank accounts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Analysis links broader Android malware trend to Cellik and other families
Reporting highlighted a wider evolution in Android malware operations, noting the emergence of families including Cellik, Frogblight, and NexusRoute that combine capabilities such as RAT access, phishing, screen streaming, and malware-as-a-service delivery. This marked a broader escalation in mobile threat sophistication across multiple countries.
Threat actors scale Wonderland Android malware campaign in Uzbekistan
Researchers reported that the financially motivated TrickyWonders group was using dropper apps disguised as legitimate software to deliver the Wonderland SMS-stealing malware, primarily targeting users in Uzbekistan. The operation used fake Google Play pages, social media ads, and messaging apps to steal SMS messages, intercept OTPs, and drain victims' bank cards.
Researchers discover Cellik Android RAT abusing legitimate Play apps
A newly identified Android remote access trojan named Cellik was reported as covertly turning legitimate Google Play applications into surveillance tools to evade detection and monitor infected devices. The malware was described as part of a broader wave of increasingly sophisticated Android threats.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
The Silent Hijacker: New Cellik Android RAT Turns Legitimate Google Play Apps into Surveillance Tools
securityonline.info
Open sourceAndroid Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Malware Campaigns Targeting Banking and Messaging Apps
A surge in Android malware campaigns has been observed across multiple regions, with attackers leveraging sophisticated droppers and SMS stealers to compromise user devices and drain bank accounts. Notably, the Wonderland dropper malware has been identified as hijacking Telegram sessions to facilitate unauthorized banking transactions, while other malware families such as Frogblight, NexusRoute, and Ajina.Banker are also implicated in recent attacks. These campaigns often distribute malicious APKs disguised as legitimate applications, with infection vectors including sideloading and direct delivery via messaging platforms like Telegram. In Uzbekistan, threat groups such as TrickyWonders, Blazefang, and Ajina have been linked to a wave of attacks using SMS stealer malware, exploiting Telegram's popularity to propagate infections and steal credentials. Security researchers have highlighted the evolving tactics of these actors, including the use of AES-based droppers and multi-stage payloads, underscoring the persistent threat posed by Android-targeted malware in both financial and personal data theft.
Mar 21, 2026
Emergence of Advanced Android Malware Targeting SMS and Financial Data in Central Asia and Turkey
A new wave of sophisticated Android malware has been identified, targeting users in Central Asia and Turkey with the aim of stealing SMS messages, intercepting one-time passwords (OTPs), and draining bank accounts. The Wonderland malware, discovered in Uzbekistan and neighboring regions, employs multi-stage infection chains using dropper apps disguised as legitimate software. Once installed, Wonderland silently deploys its SMS-stealing payload, leveraging advanced evasion techniques such as emulator and sandbox detection, as well as heavy code obfuscation, to avoid analysis and detection by security tools. In Turkey, the Frogblight malware has been spreading through smishing campaigns that impersonate court summons or social aid notifications, tricking users into installing malicious apps. These apps, often named to mimic official government services, request extensive permissions to access SMS and storage, enabling the theft of sensitive information. Frogblight also demonstrates anti-analysis features, shutting down if it detects a fake phone or a device located in the United States. Both malware families represent a significant escalation in mobile threats, particularly in their ability to bypass traditional security measures and target financial data through sophisticated social engineering and technical means.
Mar 21, 2026
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
Mar 21, 2026