Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan.

Wonderland (formerly WretchedCat), according to the Singapore-headquartered cybersecurity company, facilitates bidirectional command-and-control (C2) communication to execute commands in real-time, allowing for arbitrary USSD requests and SMS theft. It masquerades as Google Play or files of other formats, such as videos, photos, and wedding invitations.

Once the malware is installed, it gains access to SMS messages and intercepts one-time passwords (OTPs), which the group uses to siphon funds from victims’ bank cards. Other capabilities include retrieving phone numbers, exfiltrating contact lists, hiding push notifications to suppress security or OTP alerts, and even sending SMS messages from infected devices for lateral movement.

The use of dropper applications is strategic as it causes them to appear harmless and evade security checks. In addition, both the dropper and SMS stealer components are heavily obfuscated and incorporate anti-analysis tricks to make them a lot more challenging and time-consuming to reverse engineer.

To read the complete article see: The Hacker News.