Wonderland malware disguised as a loud application

Wonderland malware disguised as a loud application tricked into an Android machine

The implementation of the Android operating system, although it has a high degree of freedom from being open, has to admit that it leads to easy malware development, causing users to be helplessly at risk.

According to a report by The Hacker News website, a malware release campaign was detected by a group of mobile phone users running the Android system. This malware is a malware type that steals data from the victim's machine, or an Infostealer called Wonderland with the ability to steal short messages, or SMS (Short Message Service), by a group of hackers called TrickyWonders. This malware is not a new malware, because in the past it was exploded by spreading fake application installation files in APK format, but inside it was not a purely malware, but this time the malware evolved again. A latent app in a real application where malware is inserted (Dropper) to release into the victim's machine, which a research team from Group-IB, a cybersecurity specialist company that detects the malware, has revealed is currently spreading heavily in Uzbekistan.

To spread the malware, it starts by shooting ads through popular social media like Facebook to tempt the victim to press a link on an advertisement that takes the victim to a fake website with the appearance of the website, which is the same as the actual page of the Google Play Store, the official Android app store, and then tricking him into downloading the application on the victim's mobile phone. In this process, the scam is not only limited to Facebook, but also fake accounts on the rendezvous app or Dating App and hacked accounts on the Telegram chat service. The latter account is obtained by hackers buying stolen accounts. Was sold on the black market again.

After installing a malware application on the machine, it will lead to the use of the Dropper, which can be MidnightData or RoundRift. These two Droppers will come in the stain of a request to update the app, such as "Install the update to use the app" (please update to use the application). The update will eventually lead to downloading the real malware file or payload to the victim's machine.

After the Wonderland malware has been installed on the victim's machine, the malware will immediately request access to SMS messages. If the victim gives away the permission, it will lead to theft of messages inside the SMS message camera, especially one-time passwords or OTPs. OTP information will be used to steal money from the victim's bank account through the bank app installed on the machine. The ability to access this SMS message box does not end with data theft, but can also be used to send fake SMS to other victims. Contacts on the victim's device.

There are also many other capabilities: theft of contacts and then secretly sending them back to hackers (Exfiltration), hiding notifications (Notification) on the machine, secretly using the victim's number to log in to Telegram to resume malware, and contact with the control server (C2 or Command and Control). It is also a 2-way or Bidirectional contact that makes both traffic and malware control efficient. For C2 servers, there are frequent domain changes to avoid being detected and logged to a prohibited list (Blacklist). This makes it difficult to break down the network of this malware. It can be called a very malicious malware.

In addition, the source also mentioned a similar form of malware, Cellik, which the news team has reported in the past week.

# Welcome 2026 # Take care of yourself # Open budget # Includes IT matters # freedomhack