Android Malware Campaigns Evolve Into Modular Fraud Platforms at Scale

Android Malware Campaigns Evolve Into Modular Fraud Platforms at Scale

Threat actors are rapidly transforming Android malware from single-purpose banking Trojans into modular, multi-stage mobile attack frameworks that combine droppers, SMS theft, Telegram hijacking, and full remote-access capabilities. Recent campaigns observed in Central Asia and beyond highlight a clear shift toward industrialized mobile cybercrime, where infection, control, and monetization are tightly integrated.

From Simple Trojans to Dropper-Based Malware Pipelines

According to research published by Group-IB, attackers targeting users in Uzbekistan have moved away from distributing standalone malicious APKs. Instead, they are deploying dropper applications that masquerade as legitimate apps or media files and silently deploy encrypted payloads post-installation.Unlike traditional malware that immediately exposes itself during installation, droppers appear benign and only unpack the malicious component locally. Crucially, this process can occur without an active internet connection, allowing the malware to evade initial detection and static analysis.

At the center of these campaigns is an Android SMS stealer known as Wonderland (formerly WretchedCat), which has evolved into a real-time, bidirectional remote-controlled agent.

Wonderland: SMS Theft Meets Real-Time Remote Control

Wonderland enables attackers to establish persistent command-and-control (C2) communication with infected devices, allowing them to execute commands dynamically rather than relying on pre-programmed behavior. Its core capabilities include intercepting SMS messages and one-time passwords (OTPs), issuing arbitrary USSD requests, retrieving phone numbers and contact lists, suppressing notifications, and sending SMS messages for lateral propagation.The malware is commonly disguised as Google Play updates or innocuous file formats such as videos, images, or wedding invitations. Infection vectors include fake Google Play web pages, Facebook ads, dating apps, and Telegram messages.

Once installed and granted permissions, Wonderland enables attackers to hijack the victim’s Telegram account. If successful, the malware uses the compromised session to distribute malicious APKs to the victim’s contacts, creating a self-propagating infection loop.

End-to-End Attack Chain Overview

Rather than exploiting a single vulnerability, these campaigns follow a multi-stage orchestration pipeline:

  1. Initial Access
    Victims are lured into sideloading APKs through fake Google Play pages, social media ads, dating platforms, or direct messages — often leveraging trusted branding or personal context.
  2. Payload Staging
    The dropper decrypts and deploys the embedded payload locally, avoiding immediate network indicators.
  3. Capability Expansion
    Attackers abuse legitimate Android permissions — SMS, Accessibility Services, notification listeners — to expand control without triggering exploit-based alerts.
  4. Account Takeover & Propagation
    Telegram sessions associated with the victim’s phone number are hijacked, allowing the malware to spread directly to trusted contacts and group chats.
  5. Monetization & Control
    OTP interception enables real-time financial fraud, while bidirectional C2 allows operators to adjust tactics dynamically.

Crucially, no single step appears overtly malicious in isolation. Risk only emerges when these behaviors are correlated.

Dropper Families and Telegram-Driven Operations

Group-IB attributes Wonderland’s delivery to multiple dropper families designed to conceal and decrypt the core payload locally. Two notable families include MidnightDat, first observed in August 2025, and RoundRift, which emerged in October 2025. Both emphasize heavy obfuscation and anti-analysis techniques to slow reverse engineering.Telegram plays a central role in the operation—not just as a distribution channel, but as the backbone of the malware supply chain. Build generation, command execution, and coordination are handled via Telegram bots. Each malicious build is associated with unique C2 infrastructure, limiting the blast radius of takedowns and improving operational resilience.

The ecosystem follows a structured hierarchy consisting of operators, developers, distributors, and validators who confirm stolen financial data. This division of labor mirrors mature malware-as-a-service (MaaS) models seen in desktop ransomware operations.

The Broader Android Malware Ecosystem

The Wonderland campaign is part of a wider surge in advanced Android malware families that blend financial fraud with surveillance and remote access.Cellik, recently analyzed by iVerify, is marketed on underground forums and offers full RAT functionality, including screen streaming, keylogging, microphone and camera access, notification interception, and app overlays for credential theft. Its most concerning feature is a one-click APK builder that allows buyers to embed the malicious payload into legitimate Google Play applications, dramatically lowering the technical barrier for attackers.

Another emerging threat, Frogblight, observed by Kaspersky, targets users in Turkey via SMS phishing campaigns impersonating court notifications. The malware abuses WebViews to steal banking credentials and is believed to be evolving toward a MaaS offering, based on the presence of centralized control panels and shared authentication keys.

Regional Expansion and Government Impersonation

In parallel, Android users in India have been targeted by a campaign dubbed NexusRoute. This operation leverages phishing portals impersonating government services to redirect victims to malicious APKs hosted on GitHub infrastructure. Once installed, NexusRoute deploys a fully obfuscated RAT capable of stealing UPI PINs, OTPs, card details, and extensive device telemetry by abusing accessibility services.

Analysis by CYFIRMA links NexusRoute to a professionally maintained underground development ecosystem, indicating long-term investment and operational maturity rather than opportunistic scamming.

Why This Matters

What ties these campaigns together is not just technical sophistication, but scale and automation. Malware is now being generated, customized, distributed, and controlled through turnkey platforms. Infrastructure rotates rapidly, droppers evade security tooling, and financial fraud is executed in near real time.

This evolution marks a shift in mobile threat modeling. Android malware is no longer a secondary risk compared to desktop threats—it is a primary attack surface, especially in regions where sideloading is common and mobile devices serve as the primary financial interface.

Final Thoughts

These campaigns demonstrate how Android malware has matured into a modular, service-driven cybercrime ecosystem. Droppers, SMS stealers, RATs, and phishing infrastructure are no longer separate tools but components of a unified attack framework designed for persistence, scalability, and profit.As attackers continue to weaponize trust in platforms like Google Play, Telegram, and government services, defending mobile ecosystems will require more than signature-based detection. Behavioral monitoring, permission abuse detection, and stronger controls around sideloading and accessibility services are becoming essential—not optional.

Mobile malware is no longer catching up to desktop threats. It has already surpassed them in Speed, Reach, and Automation.

Centralise your Appsec

A single dashboard for visibility, collaboration, and control across your AppSec lifecycle.

Explore Live Demo

Read more