Security researchers are warning of a major shift in Android malware activity going in 2026. The previously separate attack campaigns are heading towards utilizing merging tools techniques and infrastructure to create more capable and harder to detect threats.
These evolving operations increasingly rely on deceptive dropper applications that appear harmless at first glance but later deploy advanced malware capable of stealing sensitive data and executing commands remotely.
The affected ecosystem includes devices running the Android operating system developed by Google, which remains the most widely used mobile platform globally. Attackers continue to target Android due to its scale regional fragmentation and the ease with which malicious apps can be distributed outside official app stores.
“Previously, users received ‘pure’ Trojan APKs that acted as malware immediately upon installation,” Cybersecurity experts at Group-IB said in an analysis published last week. “Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation – even without an active internet connection.”
Researchers tracking these campaigns report that modern Android malware now commonly abuses dropper apps to bypass initial detection. Once installed the dropper deploys the main payload locally allowing the malware to operate even without an active internet connection. These payloads focus heavily on SMS interception particularly messages containing one time passwords used for banking logins digital wallets and financial transactions.
After gaining access the malware can read incoming messages suppress system notifications and forward authentication codes to attacker controlled infrastructure. In many cases it can also send SMS messages from the infected device enabling further spread through contact lists and trusted conversations. This functionality transforms infected phones into both victims and distribution nodes significantly amplifying attack reach.
The report also highlights key threat actors and malware adopting this new stratagem:
Threat Actors:
Malware:
Beyond data theft the latest Android malware operations now include full remote command capabilities. Analysts have observed malware receiving bidirectional instructions that allow attackers to execute commands in real time including initiating USSD requests accessing stored contacts manipulating device settings and running scripted actions without user awareness.
One of the most prominent examples is Wonderland, formerly known as WretchedCat, a malware strain that enables bidirectional command and control communication to execute commands in real time. This capability allows attackers to issue arbitrary USSD requests and intercept SMS messages, transforming infected devices into actively controlled assets rather than passive data sources.
Wonderland disguises itself as trusted content including fake Google Play interfaces, videos, photos, and even wedding invitations to trick users into installation. The malware is operated by a financially motivated threat actor known as TrickyWonders, which relies heavily on Telegram to coordinate malware development, distribution, and monetization. First discovered in November 2023, Wonderland is also linked to two dropper malware families, MidnightDat and RoundRift. These droppers are designed to conceal the primary encrypted payload and evade detection during the initial installation phase.
Wonderland is primarily distributed through fake Google Play Store web pages, advertising campaigns on Facebook, bogus dating app accounts, and direct messaging via Telegram. A key tactic involves abusing stolen Telegram sessions belonging to Uzbek users, which are purchased from dark web marketplaces and then used to send malicious APK files directly to victims’ contacts and chats. This approach significantly increases trust and infection success rates.
Once installed, the malware gains access to SMS messages and intercepts one time passwords used for banking authentication, enabling attackers to siphon funds directly from victims’ bank cards. Additional capabilities include retrieving phone numbers, exfiltrating contact lists, suppressing push notifications to hide security alerts, and sending SMS messages from infected devices to propagate further infections. Installation requires users to enable app installation from unknown sources, a step achieved through deceptive update prompts instructing victims to install an update to continue using the app.
Researchers note that once permissions are granted, attackers hijack the phone number to attempt a login to the victim’s Telegram account. If successful, the malware repeats the distribution process, creating a self sustaining infection cycle that expands through trusted social networks with minimal friction.
Wonderland marks a significant evolution in Android malware activity in Uzbekistan, as threat actors abandon earlier spam-driven banking trojans in favor of heavily obfuscated strains designed for concealment and persistent control. Attackers strategically deploy dropper applications to make the malware appear benign during security checks, while both the dropper and SMS stealer actively use anti-analysis techniques to hinder reverse engineering and evade detection.
The operators behind Wonderland have also strengthened their infrastructure by rapidly rotating domains tied to individual malware builds. A dedicated Telegram bot generates each build, which workers then distribute in exchange for a share of stolen funds. Each build connects to its own command-and-control domains, allowing the operation to survive takedowns without disrupting the broader network. Group owners, developers, workers, and validators who verify stolen card details form a structured criminal ecosystem, underscoring a highly professional and hierarchical fraud operation.
Threat actors sell Cellik on underground markets and promote it for its advanced capabilities. These include real-time screen streaming, keylogging, remote camera and microphone access, data wiping, notification interception, and credential-stealing app overlays. The malware’s most dangerous feature is a one-click APK builder that lets attackers embed Cellik into legitimate Google Play apps, dramatically lowering the technical barrier for large-scale attacks.
Attackers have used Frogblight to target users in Turkey through SMS phishing campaigns disguised as court documents. They have been actively stealing banking credentials, SMS messages, call logs, installed app lists, and file system data through these attacks. Researchers believe operators are preparing Frogblight for malware-as-a-service distribution, citing a centralized control panel and restricted access keys.
Meanwhile, attackers have targeted Android users in India with a malware called NexusRoute. It is a highly sophisticated campaign that impersonates government services to deliver fully obfuscated remote access trojans. The malware exploits accessibility services and home screen launcher privileges to harvest financial data. It also uses personal identifiers, and conduct surveillance, signaling a professionally engineered fraud and monitoring operation.
“The new wave of malware development in the region clearly demonstrates that methods of compromising Android devices are not just becoming more sophisticated – they are evolving at a rapid pace,” Group-IB report says. “Attackers are actively adapting their tools, implementing new approaches to distribution, concealment of activity, and maintaining control over infected devices.”