Wedding Invitation Scam: SpyMax RAT Targets Indian WhatsApp Users, Stealing OTPs & Banking Credentials

Researchers at K7 Labs have uncovered a highly targeted Android spyware campaign aimed at Indian mobile users, using a seemingly innocent “Wedding Invitation” APK file shared via WhatsApp. Behind the social engineering lies a dangerous Remote Administration Tool (RAT)—SpyMax—capable of granting attackers full control over a victim’s device, including stealing SMS, OTPs, contacts, and banking credentials.

The malware begins its attack with a simple WhatsApp message disguised as a wedding invite. The file, “Wedding Invitation.apk”, is not from the Play Store, but from a contact—making the phishing vector appear legitimate.

Once opened, the app requests the user to:

• Set it as the default Home app
• Enable “Install unknown apps” permission
• Accept what appears to be a fake system update screen

“The malware decrypts an app from the app’s assets folder and installs another app; the installed app package name is com.android.pictach,” the report explains.

The true payload, com.android.pictach, launches a sophisticated surveillance operation:

• Prompts full device control through fake system settings
• Logs all keystrokes, saving them to log-yyyy-mm-dd.log under Config/sys/apps/log
• Intercepts notifications (including bank OTPs and WhatsApp messages) via AccessibilityEvents
• Compresses exfiltrated data using gZIPOutputStream before sending to the attacker

“This RAT intercepts Notification objects from AccessibilityEvents, extracting sensitive information such as bank OTPs, WhatsApp messages, and 2FA codes,” the report warns.

The malware connects to the Command-and-Control (C2) server at: 104.234.167[.]145:7860. Once a TCP connection is established, compressed data from the victim is transmitted.

Interestingly, K7 Labs found that the malware also checks for the presence of mobile security products, hinting at its intent to disable or evade detection.

“This command collects the clipboard and SMS data and verifies the victim’s device for the presence of a hardcoded list of mobile security products.”

While the sample analyzed did not exhibit self-spreading behavior, researchers warn that the collection of the device’s contact list makes it possible for the malware to auto-forward itself in future versions.

“As it collects the Contacts information, it is possible to forward the apk to the contacts list, though we didn’t  spot any such code in the sample we analyzed.”

Related Posts:

• Urgent Alert: “Free Wedding Invite” Scam Targets Senior Citizens, Steals Sensitive Data
• SpyMax – A New Android RAT Targeting Telegram Users
• Massive Android SMS Stealer Campaign Uncovered: Over 100,000 Malicious Apps Targeting Global Users
• CVE-2023-28936 allows attacker to access any arbitrary recording or room in Apache OpenMeetings
• APT29 Targets European Diplomats with Wine-Themed Phishing