Android smartphone owners threatened by new virus

Group-IB analysts reported the emergence of a new malicious software for Android called Wonderland.

As BAKU.WS reports, according to their information, this is an SMS stealer that spreads through infected droppers disguised as legitimate applications.

If previously cybercriminals would send APK files and force users to install them manually, thus gaining access to the device, now a more covert scheme is being used. As experts note, the malicious payload is embedded in seemingly harmless programs. Moreover, the malware component can be installed even without an internet connection.

According to Group-IB, the user only sees a notification about the need to update an already installed application. After such an "update," Wonderland gains access to SMS messages and one-time passwords. The presence of a two-way communication channel allows malware operators to control its actions in real time, including sending USSD commands.

Experts also indicate that malicious code can be hidden inside images or disguised as Google Play services. Immediately after installation, the malware begins intercepting OTP codes, which gives cybercriminals access to victims' banking operations and allows them to steal funds from their cards.

According to Group-IB estimates, the TrickyWonders group, which coordinates its actions via Telegram, is likely behind the distribution of Wonderland. Stolen user sessions are subsequently sold on darkweb platforms.

Specialists emphasize that Wonderland's distribution model resembles a well-organized criminal business: roles are clearly distributed between tool owners, developers, and distributors. Separate participants are engaged in verifying banking data and withdrawing stolen funds.