Emergence of Advanced Android Malware Targeting SMS and Financial Data in Central Asia and Turkey
A new wave of sophisticated Android malware has been identified, targeting users in Central Asia and Turkey with the aim of stealing SMS messages, intercepting one-time passwords (OTPs), and draining bank accounts. The Wonderland malware, discovered in Uzbekistan and neighboring regions, employs multi-stage infection chains using dropper apps disguised as legitimate software. Once installed, Wonderland silently deploys its SMS-stealing payload, leveraging advanced evasion techniques such as emulator and sandbox detection, as well as heavy code obfuscation, to avoid analysis and detection by security tools.
In Turkey, the Frogblight malware has been spreading through smishing campaigns that impersonate court summons or social aid notifications, tricking users into installing malicious apps. These apps, often named to mimic official government services, request extensive permissions to access SMS and storage, enabling the theft of sensitive information. Frogblight also demonstrates anti-analysis features, shutting down if it detects a fake phone or a device located in the United States. Both malware families represent a significant escalation in mobile threats, particularly in their ability to bypass traditional security measures and target financial data through sophisticated social engineering and technical means.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Criminal groups using Wonderland earn over $2 million in 2025
During 2025, criminal groups operating Wonderland reportedly generated more than $2 million through financial fraud campaigns. The malware enabled real-time command execution, USSD manipulation, notification suppression, and SMS interception to support the fraud.
Frogblight evolves with added theft and evasion features
Researchers reported that Frogblight rapidly evolved through frequent updates, adding capabilities such as keylogging, contact theft, call log exfiltration, and emulator or geofencing-based shutdown behavior. Evidence also suggested the malware was being offered as a malware-as-a-service operation linked to Turkish-speaking actors.
Frogblight banking Trojan discovered targeting users in Turkiye
By December 2025, researchers identified a new Android banking Trojan called Frogblight targeting mobile users in Turkiye. The malware was spread through smishing messages themed around court cases and financial aid, using fake apps to steal banking credentials and drain accounts.
Researchers document Wonderland malware's technical details
By December 2025, Group-IB publicly documented Wonderland's bidirectional SMS-stealing capabilities, multi-stage infection chain, and Telegram-based distribution methods. The disclosure highlighted the malware as a significant threat to financial systems in the region.
Wonderland Android malware first discovered in Central Asia
Group-IB researchers first identified the Wonderland Android malware family in October 2025 targeting users in Uzbekistan and the wider Central Asia region. The malware used dropper apps, heavy obfuscation, sandbox evasion, and WebSocket-based command-and-control to steal SMS messages and one-time passwords.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Malware Campaigns Targeting Banking and Messaging Apps
A surge in Android malware campaigns has been observed across multiple regions, with attackers leveraging sophisticated droppers and SMS stealers to compromise user devices and drain bank accounts. Notably, the Wonderland dropper malware has been identified as hijacking Telegram sessions to facilitate unauthorized banking transactions, while other malware families such as Frogblight, NexusRoute, and Ajina.Banker are also implicated in recent attacks. These campaigns often distribute malicious APKs disguised as legitimate applications, with infection vectors including sideloading and direct delivery via messaging platforms like Telegram. In Uzbekistan, threat groups such as TrickyWonders, Blazefang, and Ajina have been linked to a wave of attacks using SMS stealer malware, exploiting Telegram's popularity to propagate infections and steal credentials. Security researchers have highlighted the evolving tactics of these actors, including the use of AES-based droppers and multi-stage payloads, underscoring the persistent threat posed by Android-targeted malware in both financial and personal data theft.
Mar 21, 2026
Android Malware Leveraging Legitimate Apps for Surveillance and Theft
Threat actors have increasingly adopted sophisticated techniques to distribute Android malware by disguising malicious applications as legitimate ones on the Google Play Store and other platforms. Notably, the new Cellik Android RAT has been identified as turning legitimate Google Play apps into surveillance tools, enabling attackers to covertly monitor and exfiltrate sensitive user data. In parallel, operations involving the Wonderland SMS stealer have merged dropper, SMS theft, and RAT capabilities at scale, with attackers using fake Google Play Store pages, ad campaigns, and messaging apps to propagate malware, particularly targeting users in Uzbekistan. These campaigns often leverage Telegram for coordination and distribution, and employ advanced methods such as intercepting OTPs and exfiltrating contact lists to facilitate financial theft and evade detection. The evolution of Android malware now includes the use of droppers that appear harmless but deploy malicious payloads locally after installation, even without an active internet connection. The Wonderland malware, attributed to the TrickyWonders group, demonstrates bidirectional command-and-control communication, allowing real-time execution of commands and theft of SMS messages. The convergence of these techniques highlights a growing trend in mobile threat operations, where attackers exploit the trust in legitimate app platforms and social engineering to compromise devices, steal credentials, and siphon funds from victims' bank accounts.
Mar 21, 2026
Frogblight Android Banking Trojan Targets Turkish Users via Fake Government Websites
A new Android banking Trojan known as **Frogblight** has emerged, specifically targeting users in Turkey through sophisticated social engineering tactics. The malware initially masquerades as an official government application for accessing court case files, luring victims via phishing SMS messages that claim legal involvement and direct them to convincing fake government websites. Once installed, Frogblight requests extensive permissions, including access to SMS, storage, and device information, and displays legitimate government web pages within an embedded browser to maintain the illusion of authenticity. The malware is capable of stealing banking credentials, monitoring SMS messages, tracking installed applications, and sending arbitrary SMS messages to external contacts. Researchers have observed that Frogblight is under active development, with new features added over time, suggesting a potential **Malware-as-a-Service (MaaS)** distribution model. The infection mechanism relies on JavaScript code injection within a compromised WebView, allowing the malware to silently capture user inputs. Security products, including those from Kaspersky, detect Frogblight under various heuristic signatures. The campaign highlights the increasing sophistication of Android banking threats and the use of official government branding to enhance the credibility of phishing lures targeting Turkish citizens.
Mar 21, 2026