Android Malware Campaigns Targeting Banking and Messaging Apps
A surge in Android malware campaigns has been observed across multiple regions, with attackers leveraging sophisticated droppers and SMS stealers to compromise user devices and drain bank accounts. Notably, the Wonderland dropper malware has been identified as hijacking Telegram sessions to facilitate unauthorized banking transactions, while other malware families such as Frogblight, NexusRoute, and Ajina.Banker are also implicated in recent attacks. These campaigns often distribute malicious APKs disguised as legitimate applications, with infection vectors including sideloading and direct delivery via messaging platforms like Telegram.
In Uzbekistan, threat groups such as TrickyWonders, Blazefang, and Ajina have been linked to a wave of attacks using SMS stealer malware, exploiting Telegram's popularity to propagate infections and steal credentials. Security researchers have highlighted the evolving tactics of these actors, including the use of AES-based droppers and multi-stage payloads, underscoring the persistent threat posed by Android-targeted malware in both financial and personal data theft.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose Wonderland Android dropper using Telegram for C2
By December 23, 2025, reporting described Wonderland as a newly discovered Android dropper that used Telegram as a command-and-control channel. The malware was said to hijack devices, support unauthorized access to bank accounts, and use evasion techniques to maintain persistence and avoid detection.
AhnLab reports Wonderland among notable Android threats of mid-December
AhnLab ASEC published its weekly mobile threat roundup on December 22, 2025, highlighting Android malware activity for the third week of December. The report identified Wonderland, Frogblight, and NexusRoute as notable threats observed during the period.
Group-IB publicly describes the Uzbekistan Android malware wave
On December 19, 2025, Group-IB publicly disclosed details of the Android SMS-stealer campaign affecting Telegram users in Uzbekistan. The report highlighted multiple malware families, improved distribution and obfuscation, and guidance for users to monitor suspicious activity and reset infected devices.
Attackers adopt stealthier Android droppers to evade detection
During the Uzbekistan campaign, researchers observed attackers shifting to seemingly benign droppers that embedded stealers, along with anti-analysis techniques and frequent rotation of domains and package names. Group-IB characterized this as a significant increase in the operation's maturity and infection effectiveness.
Android SMS-stealer campaign begins targeting Telegram users in Uzbekistan
Group-IB said a new wave of Android SMS-stealer activity targeting Telegram users in Uzbekistan began in October 2025. Multiple threat groups used Telegram-based social engineering to distribute malicious APKs that stole credentials and money and spread via victims' contacts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Wonderland Unleashed: New Android “Dropper” Malware Hijacks Telegram to Drain Bank Accounts
securityonline.info
Open sourceMobile Security & Malware Issue 3st Week of December, 2025
asec.ahnlab.com
Open sourceUzbek Users Under Attack by Android SMS Stealers
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Malware Leveraging Legitimate Apps for Surveillance and Theft
Threat actors have increasingly adopted sophisticated techniques to distribute Android malware by disguising malicious applications as legitimate ones on the Google Play Store and other platforms. Notably, the new Cellik Android RAT has been identified as turning legitimate Google Play apps into surveillance tools, enabling attackers to covertly monitor and exfiltrate sensitive user data. In parallel, operations involving the Wonderland SMS stealer have merged dropper, SMS theft, and RAT capabilities at scale, with attackers using fake Google Play Store pages, ad campaigns, and messaging apps to propagate malware, particularly targeting users in Uzbekistan. These campaigns often leverage Telegram for coordination and distribution, and employ advanced methods such as intercepting OTPs and exfiltrating contact lists to facilitate financial theft and evade detection. The evolution of Android malware now includes the use of droppers that appear harmless but deploy malicious payloads locally after installation, even without an active internet connection. The Wonderland malware, attributed to the TrickyWonders group, demonstrates bidirectional command-and-control communication, allowing real-time execution of commands and theft of SMS messages. The convergence of these techniques highlights a growing trend in mobile threat operations, where attackers exploit the trust in legitimate app platforms and social engineering to compromise devices, steal credentials, and siphon funds from victims' bank accounts.
Mar 21, 2026
Emergence of Advanced Android Malware Targeting SMS and Financial Data in Central Asia and Turkey
A new wave of sophisticated Android malware has been identified, targeting users in Central Asia and Turkey with the aim of stealing SMS messages, intercepting one-time passwords (OTPs), and draining bank accounts. The Wonderland malware, discovered in Uzbekistan and neighboring regions, employs multi-stage infection chains using dropper apps disguised as legitimate software. Once installed, Wonderland silently deploys its SMS-stealing payload, leveraging advanced evasion techniques such as emulator and sandbox detection, as well as heavy code obfuscation, to avoid analysis and detection by security tools. In Turkey, the Frogblight malware has been spreading through smishing campaigns that impersonate court summons or social aid notifications, tricking users into installing malicious apps. These apps, often named to mimic official government services, request extensive permissions to access SMS and storage, enabling the theft of sensitive information. Frogblight also demonstrates anti-analysis features, shutting down if it detects a fake phone or a device located in the United States. Both malware families represent a significant escalation in mobile threats, particularly in their ability to bypass traditional security measures and target financial data through sophisticated social engineering and technical means.
Mar 21, 2026
Android SMS-Stealing Malware Campaign Evolves in Uzbekistan
Group-IB reported a new stage in the evolution of Android **SMS-stealing malware** targeting users in Uzbekistan, indicating that threat actors are continuing to refine mobile malware operations aimed at intercepting text messages. Such malware is commonly used to capture one-time passwords, banking verification codes, and other sensitive communications that can enable account takeover, financial fraud, and unauthorized access to online services. The report indicates that the activity is part of a broader shift in mobile threat tactics, with attackers adapting their tooling and lures to improve infection success and persistence on Android devices. The campaign highlights ongoing risk to mobile users and organizations that rely on SMS-based authentication, underscoring the need for stronger mobile security controls, user awareness, and reduced dependence on SMS for high-risk authentication workflows.
May 25, 2026