Wedding Invitation Scam: SpyMax RAT Targets Indian WhatsApp Users, Stealing OTPs & Banking Credentials

Researchers at K7 Labs have uncovered a highly targeted Android spyware campaign aimed at Indian mobile users, using a seemingly innocent “Wedding Invitation” APK file shared via WhatsApp. Behind the social engineering lies a dangerous Remote Administration Tool (RAT)—SpyMax—capable of granting attackers full control over a victim’s device, including stealing SMS, OTPs, contacts, and banking credentials.

The malware begins its attack with a simple WhatsApp message disguised as a wedding invite. The file, “Wedding Invitation.apk”, is not from the Play Store, but from a contact—making the phishing vector appear legitimate.

Once opened, the app requests the user to:

• Set it as the default Home app
• Enable “Install unknown apps” permission
• Accept what appears to be a fake system update screen

“The malware decrypts an app from the app’s assets folder and installs another app; the installed app package name is com.android.pictach,” the report explains.

The true payload, com.android.pictach, launches a sophisticated surveillance operation:

• Prompts full device control through fake system settings
• Logs all keystrokes, saving them to log-yyyy-mm-dd.log under Config/sys/apps/log
• Intercepts notifications (including bank OTPs and WhatsApp messages) via AccessibilityEvents
• Compresses exfiltrated data using gZIPOutputStream before sending to the attacker

“This RAT intercepts Notification objects from AccessibilityEvents, extracting sensitive information such as bank OTPs, WhatsApp messages, and 2FA codes,” the report warns.

The malware connects to the Command-and-Control (C2) server at: 104.234.167[.]145:7860. Once a TCP connection is established, compressed data from the victim is transmitted.

Interestingly, K7 Labs found that the malware also checks for the presence of mobile security products, hinting at its intent to disable or evade detection.

“This command collects the clipboard and SMS data and verifies the victim’s device for the presence of a hardcoded list of mobile security products.”

While the sample analyzed did not exhibit self-spreading behavior, researchers warn that the collection of the device’s contact list makes it possible for the malware to auto-forward itself in future versions.

“As it collects the Contacts information, it is possible to forward the apk to the contacts list, though we didn’t  spot any such code in the sample we analyzed.”

Related Posts:

• Urgent Alert: “Free Wedding Invite” Scam Targets Senior Citizens, Steals Sensitive Data
• SpyMax – A New Android RAT Targeting Telegram Users
• Massive Android SMS Stealer Campaign Uncovered: Over 100,000 Malicious Apps Targeting Global Users
• CVE-2023-28936 allows attacker to access any arbitrary recording or room in Apache OpenMeetings
• APT29 Targets European Diplomats with Wine-Themed Phishing

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.