Choose Your Fighter: A New Stage in the Evolution of Android SMS Stealers in Uzbekistan

Group-IB documents a significant evolution in Android SMS-stealer activity in Uzbekistan: attackers have shifted from direct trojan APKs to stealthy droppers (MidnightDat, RoundRift) and a new two-way C2 stealer (Wonderland) that uses WebSockets for remote commands, arbitrary USSD/SMS actions, and advanced anti-analysis/obfuscation. Distribution relies heavily on Telegram (including use of stolen sessions), fake Google Play pages, and rapidly rotating domain-based C2, resulting in widespread financial fraud and substantial criminal profit.