545/68 Tuesday, December 24, 2025
A new strain of Android malware known as “Wonderland” (also referred to as WretchedCat) has been observed spreading in Uzbekistan. The TrickyWonders group has shifted its tactics from directly tricking victims into installing malware to using dropper applications disguised as legitimate apps, such as fake Google Play apps or file viewer utilities. This approach helps deceive both users and security mechanisms. Once installed, the malware operates as a Remote Access Trojan (RAT), maintaining bidirectional communication with its command-and-control (C2) servers, enabling real-time remote control of infected devices. Its capabilities include stealing SMS messages, intercepting one-time passwords (OTPs), and abusing victims’ Telegram accounts to further spread malware to their contacts.
The operation is highly organized, with clear role separation between group leaders, developers, and malware distribution workers. The attackers leverage Telegram bots to automatically generate APK files embedded with unique C2 domains per build, reducing the risk of large-scale takedowns. In addition to Wonderland, researchers have noted a growing trend of Android Malware-as-a-Service (MaaS) offerings, such as “Cellik”, which enables attackers to rapidly inject malicious payloads into legitimate-looking apps sourced from the Play Store.
These developments highlight the evolution of mobile threats toward stealthy espionage tools capable of accessing sensitive and financial data while remaining difficult to detect. Users are strongly advised to increase vigilance by disabling installation from unknown sources, downloading apps only from official app stores, and avoiding files received via chat messages or social media advertisements, in order to reduce the risk of infection by sophisticated, hidden malware.
Source https://thehackernews.com/2025/12/android-malware-operations-merge.html
