An analysis released on Thursday by Group-IB said Wonderland initially infiltrates devices through a "dropper" disguised as a legitimate application, which then installs malicious components.
Unlike typical trojanized APK files that begin malicious activity immediately upon installation, Wonderland masquerades as a normal app before executing its malicious payload within the user's environment.
This technique allows the malware to be installed without a network connection and helps it evade initial security checks and static analysis. It also enables two-way communication, allowing attackers to issue commands in real time.
Once activated, Wonderland can intercept text messages (SMS) and OTPs, trigger USSD codes, steal contacts and phone numbers, hide notifications, and send additional SMS messages, the research said.
As a result, attackers are able to bypass financial authentication procedures to steal funds and use infected devices as secondary launch points for further attacks.
Researchers also found that Wonderland operators rely heavily on Telegram as a core part of their infrastructure. When users grant permissions, attackers can hijack Telegram accounts using the victim's phone number and then use the compromised accounts to spread malicious apps to chat histories and contact lists.
Stolen Telegram accounts are currently being traded on the dark web and reused in subsequent attacks, the research added.
Wonderland is not the only threat targeting Android users. Other malware strains, including Nexus Root and Frogblight, have also been detected recently, often disguising themselves as legitimate apps, prompting heightened caution among users.
Copyright ⓒ Aju Press All rights reserved.
