A surge in Android malware campaigns has been observed across multiple regions, with attackers leveraging sophisticated droppers and SMS stealers to compromise user devices and drain bank accounts. Notably, the Wonderland dropper malware has been identified as hijacking Telegram sessions to facilitate unauthorized banking transactions, while other malware families such as Frogblight, NexusRoute, and Ajina.Banker are also implicated in recent attacks. These campaigns often distribute malicious APKs disguised as legitimate applications, with infection vectors including sideloading and direct delivery via messaging platforms like Telegram.
In Uzbekistan, threat groups such as TrickyWonders, Blazefang, and Ajina have been linked to a wave of attacks using SMS stealer malware, exploiting Telegram's popularity to propagate infections and steal credentials. Security researchers have highlighted the evolving tactics of these actors, including the use of AES-based droppers and multi-stage payloads, underscoring the persistent threat posed by Android-targeted malware in both financial and personal data theft.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
By December 23, 2025, reporting described Wonderland as a newly discovered Android dropper that used Telegram as a command-and-control channel. The malware was said to hijack devices, support unauthorized access to bank accounts, and use evasion techniques to maintain persistence and avoid detection.
AhnLab ASEC published its weekly mobile threat roundup on December 22, 2025, highlighting Android malware activity for the third week of December. The report identified Wonderland, Frogblight, and NexusRoute as notable threats observed during the period.
On December 19, 2025, Group-IB publicly disclosed details of the Android SMS-stealer campaign affecting Telegram users in Uzbekistan. The report highlighted multiple malware families, improved distribution and obfuscation, and guidance for users to monitor suspicious activity and reset infected devices.
During the Uzbekistan campaign, researchers observed attackers shifting to seemingly benign droppers that embedded stealers, along with anti-analysis techniques and frequent rotation of domains and package names. Group-IB characterized this as a significant increase in the operation's maturity and infection effectiveness.
Group-IB said a new wave of Android SMS-stealer activity targeting Telegram users in Uzbekistan began in October 2025. Multiple threat groups used Telegram-based social engineering to distribute malicious APKs that stole credentials and money and spread via victims' contacts.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourceasec.ahnlab.com
Open sourcedarkreading.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.