Android Malware Operations Merge Droppers, Sms Theft, And Rat...
Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan.
"Previously, users received 'pure' Trojan APKs that acted as malware immediately upon installation," Group-IB said in an analysis published last week. "Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation – even without an active internet connection."
Wonderland (formerly WretchedCat), according to the Singapore-headquartered cybersecurity company, facilitates bidirectional command-and-control (C2) communication to execute commands in real-time, allowing for arbitrary USSD requests and SMS theft. It masquerades as Google Play, or files of other formats, such as videos, photos, and wedding invitations.
The financially motivated threat actor behind the malware, TrickyWonders, leverages Telegram as the primary platform to coordinate various aspects of the operation. First discovered in November 2023, it's also attributed to two dropper malware families that are designed to conceal the primary encrypted payload -
Wonderland is mainly propagated using fake Google Play Store web pages, ad campaigns on Facebook, bogus accounts on dating apps, and messaging apps like Telegram, with the attackers abusing stolen Telegram sessions of Uzbek users sold on dark web markets to distribute APK files to victims' contacts and chats.
Once the malware is installed, it gains access to SMS messages and intercepts one-time passwords (OTPs), which the group uses to siphon funds from victims' bank cards. Other capabilities include retrieving phone numbers, exfiltrating contact lists, hiding push notifications to suppress security or one-time password (OTP) alerts, and even sending SMS messages from infected devices for lateral movement.
However, it's worth pointing out that sideloading the app first requires users to enable a setting that allows installation from unknown sources. This is accomplished by displaying an update screen that instructs them to "install the update to use the app."
"When a victim installs the APK and provides the permissions, the attackers hijack the phone number and attempt to log into the Telegram account registered with that phone number," Group-IB said. "If the login succeeds, the dis
Source: The Hacker News
