Android Malware Operations: Droppers, SMS Theft, and RATs at Scale

A new wave of Android malware campaigns is demonstrating how mobile cybercrime has matured into professionalized, large-scale operations.

Wonderland Malware (Uzbekistan)

• Actor: TrickyWonders.
• Evolution: From “pure” Trojans to dropper apps disguised as legitimate software.
• Payload: Wonderland (formerly WretchedCat).
• Capabilities:
  • Bidirectional C2 communication.
  • Arbitrary USSD requests.
  • SMS theft (including OTP interception).
  • Contact list exfiltration.
  • Push notification suppression.
  • Sending SMS for lateral spread.
• Distribution: Fake Google Play pages, Facebook ads, dating apps, Telegram.
• Cycle: Hijacks Telegram accounts → spreads APKs to contacts → repeats infection chain.

Supporting Infrastructure

• Droppers:
  • MidnightDat (Aug 2025).
  • RoundRift (Oct 2025).
• Obfuscation: Heavy anti-analysis tricks.
• Resilience: Rapidly changing domains, each tied to specific builds.
• Automation: Telegram bots generate malicious APKs.
• Hierarchy: Group owners, developers, “vbivers” (card validators), and workers distributing malware for profit shares.

Other Emerging Android Malware

Cellik

• Sold on dark web: $150/month or $900 lifetime.
• Features: Real-time screen streaming, keylogging, RAT functions (camera/mic access), app overlays, notification interception.
• One-click APK builder: Wraps payload inside legitimate Google Play apps.

Frogblight (Turkey)

• Delivered via SMS phishing (fake court documents).
• Steals banking credentials via WebViews.
• Collects SMS, call logs, contacts, installed apps.
• Has web panel → suggests Malware-as-a-Service (MaaS) model in development.

NexusRoute (India)

• Distributed via phishing portals impersonating government services.
• Hosted on GitHub repos/pages.
• Fully obfuscated RAT: steals mobile numbers, UPI PINs, OTPs, card details, vehicle data.
• Abuses accessibility services, sets itself as default launcher.
• Features: SMS interception, SIM profiling, contact theft, call-log harvesting, microphone/GPS access.
• Linked to professional underground ecosystem (email “gymkhana.studio@gmail[.]com”).

Strategic Trends

• Droppers make malware appear harmless, bypassing security checks.
• Bidirectional C2 transforms passive stealers into active remote-controlled agents.
• Dynamic infrastructure (rotating domains, modular builds) complicates takedowns.
• Professionalization: Hierarchical fraud groups, MaaS offerings, automated APK builders.
• Weaponization of trust: Fake Google Play apps, government portals, dating apps, and social media campaigns.

Defensive Guidance

• Avoid sideloading: Don’t enable “install from unknown sources.”
• Verify apps: Only install from official Google Play.
• Monitor permissions: Be wary of apps requesting SMS, accessibility, or notification access.
• Threat hunting: Look for obfuscated APKs, Telegram-based distribution, and suspicious domains.
• Awareness: Educate users about phishing portals and fake update prompts.

Therefore, this ecosystem shows how mobile malware has evolved from simple banking Trojans into full-fledged RAT platforms, blending fraud, surveillance, and scalable distribution.