Executive Summary

A new wave of Android-targeted cyberattacks has been detected in Uzbekistan, with thousands of users falling victim to advanced SMS stealer malware. The primary threat, identified as Wonderland (formerly known as WretchedCat), is being distributed through a sophisticated affiliate model orchestrated by the cybercriminal group TrickyWonders. This campaign leverages social engineering, Telegram-based distribution, and highly obfuscated droppers to compromise Android devices, exfiltrate SMS messages—including one-time passwords (OTPs) for banking and authentication—and facilitate unauthorized financial transactions. The attackers employ rapidly rotating command-and-control (C2) infrastructure and real-time control channels, making detection and mitigation particularly challenging. The scale, technical sophistication, and monetization strategies of this campaign mark a significant escalation in mobile malware threats across Central Asia, with a particular focus on Uzbek users.

Threat Actor Profile

The group behind these attacks, TrickyWonders, operates a hierarchical, profit-driven structure. At the top are the owners and core developers, who maintain the malware codebase and C2 infrastructure. Below them are "workers" or affiliates, who distribute the malware in exchange for a share of the stolen funds. The group coordinates via private Telegram channels and bots, which automate the generation of unique, obfuscated APK payloads for each affiliate. This affiliate model enables rapid scaling and widespread distribution, while also complicating attribution and takedown efforts. TrickyWonders is known for its agility, frequently updating its malware to evade detection and rotating its infrastructure to avoid blacklisting. The group’s primary motivation is financial gain, with a focus on banking fraud, SMS-based authentication bypass, and the resale of compromised Telegram sessions on underground forums.

Technical Analysis of Malware/TTPs

The core malware family, Wonderland, is a modular Android SMS stealer with advanced capabilities. Infection typically begins with a dropper app, such as MidnightDat or RoundRift, which masquerades as a legitimate application—often mimicking the Google Play Store, popular Uzbek apps, or enticing content like videos and invitations. Victims are lured via fake websites, social media ads, or direct messages on Telegram and other messaging platforms. The dropper prompts users to enable "install from unknown sources," bypassing Android’s default security controls.

Once installed, the dropper decrypts and deploys the Wonderland payload locally, often without requiring an immediate internet connection. The malware requests extensive permissions, including access to SMS, contacts, and notification services. Upon activation, Wonderland establishes a bidirectional C2 channel using the WebSocket protocol, allowing attackers to issue real-time commands, exfiltrate SMS messages (including OTPs), and execute USSD requests for balance checks or SIM manipulation.

A key feature is the malware’s ability to suppress push notifications, preventing victims from seeing security alerts or OTPs. Wonderland can also hijack Telegram accounts by intercepting authentication codes, enabling further propagation through the victim’s contact list. The malware employs heavy code obfuscation, anti-analysis techniques, and dynamic domain generation to evade detection. Each APK build is tied to a unique C2 domain, which is rotated frequently to avoid blacklisting.

A related malware, Qwizzserial, has also been observed targeting Uzbek users. It harvests phone numbers, bank card data, SMS inbox contents, and details of installed banking apps. Exfiltration occurs via Telegram bots or HTTP POST requests. Qwizzserial is distributed through Telegram channels posing as government agencies, often using fake financial aid apps as lures.

Exploitation in the Wild

The campaign has resulted in over 100,000 confirmed infections among Uzbek Android users, according to open-source reporting from Infosecurity Magazine and Group-IB. Victims are typically targeted through social engineering, with attackers exploiting local events, financial aid programs, and popular messaging platforms to increase credibility. Once infected, users experience unauthorized financial transactions, loss of access to messaging accounts, and further exposure as the malware propagates through their contact lists.

The attackers monetize their access by intercepting banking OTPs, enabling fraudulent transactions, and selling compromised Telegram sessions on underground markets. The use of Telegram for both C2 and distribution provides resilience against takedowns and allows for rapid adaptation to countermeasures. The campaign’s affiliate model has enabled widespread lateral movement, with infections spreading rapidly across social and professional networks.

Victimology and Targeting

The primary victims are Android users in Uzbekistan, particularly those who use Telegram, banking apps, and social media platforms. The attackers focus on individuals likely to receive SMS-based OTPs, such as online banking customers and users of two-factor authentication services. The campaign has also targeted users through fake government and financial aid apps, exploiting local economic conditions and public trust in official institutions.

While the majority of infections have been reported in Uzbekistan, similar tactics and malware families have been observed in neighboring Central Asian countries, as well as in Turkey and India. The attackers demonstrate a strong understanding of local language, culture, and digital habits, tailoring their lures and distribution channels accordingly.

Mitigation and Countermeasures

Organizations and individuals can reduce their risk of infection by implementing the following measures. Block installation from unknown sources on all managed Android devices, and enforce policies that restrict sideloading of APKs. Monitor for unauthorized app installations, especially those masquerading as Google Play or popular Uzbek applications. Deploy mobile threat defense solutions capable of detecting obfuscated malware and monitoring for suspicious behaviors, such as unauthorized SMS access or notification suppression.

Educate users about the risks of installing apps from unofficial sources, and provide clear guidance on how to recognize fake update prompts and social engineering attempts via messaging platforms. Monitor for unusual Telegram session activity, including unauthorized logins and mass messaging. Network administrators should monitor for rapid domain changes in outbound traffic, particularly to domains associated with APK downloads or C2 activity.

Incident response teams should stay informed of the latest indicators of compromise (IOCs) by consulting reputable threat intelligence sources, such as Group-IB, The Hacker News, and Kaspersky. Regularly update detection signatures and review device logs for evidence of sideloaded apps, suspicious permissions, and anomalous SMS or notification activity.

References

Group-IB Blog: Mobile Malware in Uzbekistan,The Hacker News: Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale,Infosecurity Magazine: Android SMS Stealer Infects 100,000 Devices in Uzbekistan,Kaspersky Threats: Trojan-SMS.AndroidOS.Stealer,LinkedIn: The Cyber Security Hub™ Post

About Rescana

Rescana is a leading provider of third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their digital supply chains. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to deliver actionable insights and enhance organizational resilience. For more information or to discuss how Rescana can help protect your organization, we are happy to answer questions at ops@rescana.com.