A sophisticated Android phishing campaign is spreading across India, using the cultural relevance of wedding invitations to deliver malicious software.
Named “Wedding Invitation,” the attack takes advantage of common digital communication habits to trick mobile users through carefully designed social engineering techniques.
Cybercriminals are distributing the malware through widely used platforms like WhatsApp and Telegram. They send what appear to be legitimate digital wedding invitations that include malicious APK files. These applications mimic real wedding invite apps, preying on users’ trust and interest in social gatherings to get them to install compromised software.
Researchers at Broadcom discovered the campaign during routine security monitoring and highlighted its advanced methods for distributing mobile malware.
This incident reflects the changing nature of mobile cyber threats, where attackers increasingly use cultural and social norms to improve their success.
Once the malicious app is installed on a device, it deploys the SpyMax RAT or similar remote access trojans.
The malware is designed to stay hidden, including the ability to remove its icon from the device’s home screen, making it harder for users to notice. It also activates automatically when the system starts, giving attackers persistent access to the device.
Infection and Data Theft
The SpyMax RAT follows a multi-step infection process aimed at collecting as much data as possible while avoiding detection.
After installation, the malware gains control over various functions of the infected device.
It collects sensitive data such as SMS messages, contacts, call logs, keystrokes, and one-time passwords used for authentication.
To send this stolen data, the malware uses two communication methods. The main method relies on Telegram bots, taking advantage of the platform’s encrypted messaging to mask the activity. As a backup, it also connects to command-and-control servers, ensuring data can still be sent if the primary method fails.
Symantec’s protection systems detect the threat using multiple signatures, including Android.Reputation.2 and AppRisk:Generisk for mobile threats. Web-based elements of the attack are covered under broad security categories within all WebPulse-enabled products.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
