Uzbek Users Under Attack by Android SMS-Stealers

Uzbekistan’s mobile ecosystem has become a fertile ground for Android‑based financial malware, largely because Telegram dominates local communications. Attackers harvest legitimate Telegram credentials, then broadcast deceptive messages that prompt contacts to download seemingly harmless APKs. By masquerading as trusted apps or embedding malicious code within clean‑looking dropper packages, they exploit users’ trust in peer‑to‑peer recommendations, turning social networks into distribution channels that bypass official app stores.

The technical arsenal behind the campaign is notably diverse. Tools such as Wonderland and Qwizzserial focus on intercepting SMS verification codes, enabling unauthorized bank transfers, while dropper families like MidnightDat and RoundRift employ layered encryption and code‑confusion techniques to evade sandbox analysis. These binaries request extensive permissions, masquerade as legitimate services, and even display fake uninstall prompts to appear benign. Their ability to repeatedly siphon funds until the device is reset makes them especially lucrative for cybercriminals, raising the stakes for financial institutions that rely on mobile banking.

Mitigating this threat requires a multi‑layered approach. Enterprises should deploy user‑session monitoring and integrate real‑time threat‑intelligence feeds to spot anomalous app behavior early. For end‑users, strict controls on sideloaded applications, regular OS updates, and cautious handling of unsolicited Telegram links are essential. The Uzbek case illustrates a broader shift: mobile malware is evolving from opportunistic scams to highly organized, financially driven operations, compelling the security industry to prioritize Android hardening and proactive threat hunting.