Beware of Weaponized Wedding Invite Scams That Deploys SpyMax RAT on Android Devices

A sophisticated Android phishing campaign has emerged across India, exploiting the cultural significance of wedding invitations to distribute malicious software.

The attack, dubbed “Wedding Invitation,” leverages the ubiquitous nature of digital communication platforms to target unsuspecting mobile users through carefully crafted social engineering tactics.

The malware campaign operates through popular messaging platforms including WhatsApp and Telegram, where attackers distribute seemingly legitimate digital wedding invitations that contain malicious APK files.

These deceptive applications masquerade as authentic wedding invite applications, exploiting users’ trust and curiosity about social events to facilitate installation of compromised software.

Broadcom researchers identified this threat as part of their ongoing security monitoring, noting the campaign’s sophisticated approach to mobile malware distribution.

The attack demonstrates the evolving landscape of mobile threats, where cybercriminals increasingly leverage social contexts and cultural practices to enhance their success rates.

Once successfully installed on target devices, the malicious application deploys SpyMax RAT or similar remote access trojan variants.

The malware demonstrates advanced stealth capabilities, including the ability to hide its application icon from the device’s interface, making detection by casual users significantly more challenging.

The spyware automatically activates during system startup, establishing persistent access to the compromised device.

Infection Mechanism and Data Exfiltration

The SpyMax RAT deployment follows a multi-stage infection process designed to maximize data collection while minimizing detection probability.

Upon successful installation, the malware establishes comprehensive surveillance capabilities across multiple device functions.

The trojan systematically harvests sensitive information including SMS messages, contact lists, call logs, keystroke patterns, and one-time passwords used for authentication purposes.

The exfiltration mechanism employs dual communication channels to ensure reliable data transmission. Primary data transfer occurs through Telegram bot infrastructure, leveraging the platform’s encrypted messaging capabilities to obscure malicious traffic patterns.

Additionally, the malware maintains fallback communication with dedicated command-and-control servers, providing redundancy in case primary channels become unavailable or compromised.

Symantec’s protection systems identify this threat through multiple detection signatures, including Android.Reputation.2 and AppRisk:Generisk classifications for mobile-based threats, while web-based components are covered under comprehensive security categories across all WebPulse-enabled products.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now