""Previously, users received 'pure' Trojan APKs that acted as malware immediately upon installation," Group-IB said in an analysis published last week. "Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation - even without an active internet connection.""
"Wonderland (formerly WretchedCat), according to the Singapore-headquartered cybersecurity company, facilitates bidirectional command-and-control (C2) communication to execute commands in real-time, allowing for arbitrary USSD requests and SMS theft. It masquerades as Google Play, or files of other formats, such as videos, photos, and wedding invitations."
"Wonderland is mainly propagated using fake Google Play Store web pages, ad campaigns on Facebook, bogus accounts on dating apps, and messaging apps like Telegram, with the attackers abusing stolen Telegram sessions of Uzbek users sold on dark web markets to distribute APK files to victims' contacts and chats."
Threat actors deploy malicious Android droppers disguised as legitimate applications to locally install an encrypted payload named Wonderland. The dropper can deploy the payload without an active internet connection. Wonderland provides bidirectional C2 communication to execute commands in real time, enabling arbitrary USSD requests and SMS interception. The malware impersonates Google Play or common file types like videos, photos, and invitations to evade detection. The financially motivated group TrickyWonders coordinates via Telegram and abuses stolen Telegram sessions to distribute APKs. Two dropper families, MidnightDat and RoundRift, are used to conceal the primary encrypted payload. Infection vectors include fake Google Play pages, Facebook ads, dating app accounts, and messaging apps.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]