Uzbek Users Under Attack by Android SMS Stealers

Uzbek Users Under Attack by Android SMS-Stealers

Telegram users in Uzbekistan are being targeted with Android SMS-stealer malware, and the attacks are becoming more sophisticated. Group-IB research indicates a new wave of attacks began in October, involving threat groups like TrickyWonders, Blazefang, and Ajina.

The malware steals money and credentials via sideloaded APKs or Telegram messages, exploiting Telegram’s dominance in Uzbekistan for rapid propagation. Attackers leverage stolen Telegram access to trick contacts into installing malicious apps, creating a self-spreading infection chain.

Why This Matters

Ideal security models assume user awareness and prompt patching, but real-world Android malware campaigns exploit social engineering and obfuscation to bypass defenses. The financial impact of SMS stealing can be significant; malware can repeatedly withdraw funds until access is lost, highlighting the need for proactive detection and mitigation strategies.

Key Insights

• Rapid Evolution: Attackers are adapting their tools and techniques at a rapid pace, as noted by Group-IB in December 2025.
• Dropper Techniques: Malware now utilizes droppers that appear clean, bypassing initial security checks and making detection more difficult.
• Obfuscation: Advanced obfuscation techniques, including confusing code, hinder sandboxing and analysis efforts.

Practical Applications

• Use Case: Financial institutions in Uzbekistan must monitor user sessions and leverage threat intelligence to detect and prevent fraudulent transactions.
• Pitfall: Relying solely on signature-based detection is ineffective against rapidly evolving malware utilizing obfuscation techniques.