New Android malware steals bank data quietly

Group-IB analysts reported on a new piece of Android malware called Wonderland that targets users' banking data. Preliminary estimates suggest that the TrickyWonders group, which coordinates its activities through Telegram, may be involved in distributing it.

This information comes from Glavcom.

How does Wonderland work, and why is it difficult to detect?

Experts note that Wonderland differs from previous schemes in which people were forced to manually install suspicious APK files. Now, malicious code is embedded in seemingly ordinary applications that act as "droppers."

After installation, the program displays a message about "necessary updates," and it is under the guise of such an update that the main component of the virus enters the device. According to experts, a device can become infected even without an active internet connection — attackers hide the code in ordinary images or disguise it as Google Play Services.

Once activated, Wonderland gains control over SMS messages. This enables them to intercept one-time passwords (OTPs) and other codes used by banking apps. The malicious program can also execute USSD commands, enabling the virus operators to control actions on the smartphone in real time, check balances, and transfer funds.

Group-IB emphasizes that Wonderland's distribution model resembles a well-organized "criminal business," with roles distributed among developers, distributors, and individuals who withdraw funds directly.

To minimize the risk of infection, experts recommend installing apps only from the official Google Play Store and being careful with requests for "updates" within third-party programs. They also recommend carefully checking permissions, especially those related to SMS access and special capabilities. They also recommend using a trusted antivirus program for mobile devices.

Read more:

• Apple urges you to stop using the Chrome browser — here's why
• 5 alternatives to Google Chrome — for PC and mobile