{
	"id": "cf0787a6-8a19-42a3-8fdf-17d29abc7b2f",
	"created_at": "2026-04-06T00:18:52.901991Z",
	"updated_at": "2026-04-10T03:30:33.278674Z",
	"deleted_at": null,
	"sha1_hash": "b8ab1c40ec561c070f1e2b53d6b3b0fc0281e9d7",
	"title": "SpyMax – A Fake Wedding Invitation App Targeting Indian Mobile Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2878883,
	"plain_text": "SpyMax – A Fake Wedding Invitation App Targeting Indian\r\nMobile Users\r\nPublished: 2025-06-20 · Archived: 2026-04-05 16:14:59 UTC\r\nWe have recently received a report from an Android user, who is not a K7 customer, detailing fraudulent activity\r\nand the theft of funds from his bank accounts. This incident occurred following the installation of an APK file that\r\nthey received via WhatsApp from one of their contacts.\r\nUpon subsequent investigation and analysis of the aforementioned APK file, we have identified pertinent\r\ninformation that we felt would be beneficial to share. \r\nHere are our observations on how this malware sets the stage for its fraudulent activity,\r\nThis attack is a phishing campaign targeting Indian Mobile users in the name of “Wedding Invitation”. Below is\r\nthe image of a message received by a user in WhatsApp (as shown in Figure 1).\r\nFigure 1: Wedding Invitation apk received from WhatsApp\r\nThis apk is Android SpyMax, a Remote Administration Tool (RAT) that has the capability to gather\r\npersonal/private information from the infected device without the user’s consent and sends the same to a remote\r\nthreat actor.  This enables the threat actors to control the victim’s device that impacts the confidentiality and\r\nintegrity of the victim’s privacy and data via commands.\r\nThe malicious “Wedding Invitation.apk” is installed as shown in Figure 2.\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 1 of 12\n\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 2 of 12\n\nFigure 2: Wedding Invitation app\r\nOnce the user launches the malicious app, it asks the user to set this app as a default “Home app”.  For it to install\r\nanother app from its assets folder, the malware requests the user to enable “Install unknown apps” as shown in\r\nFigure 3.\r\nFigure 3: Request to enable unknown apps source\r\nAfter completing this process, the malware launches a system update message while in the  background, the\r\nmalicious app decrypts an app from the app’s assets folder and installs another app; the installed app package\r\nname is “com.android.pictach”,   as shown in Figure 4 \u0026 5.\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 3 of 12\n\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 4 of 12\n\nFigure 4: Message disguising as a System message\r\nFigure 5: Installed addition app from apps assets folder\r\nThen, it requests the user to grant permissions for “Allow send and view SMS messages and access contacts” as\r\nshown in Figure 6.\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 5 of 12\n\nFigure 6: Prompts the user to allow SMS messages and read contacts\r\nOnce this RAT is installed on the device,  it opens a fake Google Play service settings page and suggests the user\r\nto click “Open Settings” and grant full control of your device as shown in Figure 7.\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 6 of 12\n\nFigure 7: Request the user to take full control of the device\r\nThe AndroidManifest.xml of  “com.android.pictach”  clearly shows that this app targets  network service\r\nproviders such as  Airtel, Jio and BSNL as shown in Figure 8.\r\nFigure 8: Network service provider information\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 7 of 12\n\nFraudulent activity begins…\r\nWith the necessary permissions as shown in Figure 7, this APK acts as a Trojan with Keylogger capabilities. It\r\ncreates a directory “Config/sys/apps/log“, in the devices’ external storage and the logs are saved to the file “log-yyyy-mm-dd.log” in the created directory, where yyyy-mm-dd is the date of when the keystrokes were captured as\r\nshown in Figure 9. Keystrokes can be personal detail including banking details, credit card info, etc.,\r\nFigure 9: Creating Log files\r\nThis RAT intercepts Notification objects from AccessibilityEvents, extracting sensitive information such as bank\r\nOTPs, WhatsApp messages, and 2FA codes directly from the device’s notification bar as shown in Figure 10.\r\nFigure 10: AccessibilityEvents\r\nSpyMax then proceeds to combine all the exfiltrated data and compresses (using gZIPOutputStream API) them\r\nbefore forwarding it to the C2 server as shown in Figure 11.\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 8 of 12\n\nFigure 11: DATA compression using gZIPOutputStream\r\nAwaiting C2 Commands…\r\nThis RAT contacts the C2 server IP 104.234.167[.]145 via the port: 7860, which is obfuscated as shown in Figure\r\n12.\r\nFigure 12: C2 URL\r\nFigure 13 shows the connection established with the C2.\r\nFigure 13: TCP connection with the C2 server\r\nAfter the connection is established, the malware sends the gzip compressed data to the C2, the decompressed gzip\r\ncontent of the data is shown in Figure 14.\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 9 of 12\n\nFigure 14: Decompressed gzip data showing IP address\r\nWe suspect that with the data collected (banking details) and collecting the OTP by reading the SMS from the\r\nNotifications bar  from the victim device, it is possible to transfer funds to any other account. Also, as it collects\r\nthe Contacts information, it is possible to forward the apk to the contacts list, though we didn’t  spot any such\r\ncode in the sample we analyzed. \r\nWe analyzed the C\u0026C command ‘info’ and the associated APK. This command collects the clipboard and SMS\r\ndata and verifies the victims’ device for the presence of a hardcoded list of mobile security products, may be with\r\nthe aim of disabling them or forwarding the info to the C2.\r\nFigure 15: Collects the clipboard information\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 10 of 12\n\nFigure 16: Collects the SMS information\r\nFigure 17: Checks for the presence of security related products\r\nUsers are requested to be cautious while sharing any personal information or installing apps from any other\r\nsources apart from Google Play store. At K7, we protect all our customers from such threats. Do ensure that you\r\nprotect your mobile devices with a reputable security product like K7 Mobile Security and also regularly update\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 11 of 12\n\nand scan your devices with it. Also keep your devices updated and patched against the latest vulnerabilities. More\r\ninformation on securing your mobile devices is available here.\r\nIndicators of Compromise (IoC)\r\nPackage Name Hash Detection Name\r\ncom.cristal.bristral.tristal.mistral c58b2bacd7c34ef998497032448e3095\r\nTrojan (\r\n0001140e1 )\r\ncom.android.pictach 66a7fd9bd39b1ba0c097698b68fd94a7\r\nTrojan (\r\n0001140e1 )\r\nC2:\r\n104.234.167[.]145\r\nMITRE ATT\u0026CK\r\nTactics Techniques\r\nDefense Evasion\r\nApplication Discovery Obfuscated Files or Information,\r\nVirtualization/Sandbox Evasion\r\nDiscovery Security Software Discovery, System Information Discovery\r\nCollection Email Collection, Data from Local System\r\nCommand and\r\nControl\r\nEncrypted Channel, NonStandard Port\r\nImpact Account Access RemovalData Encrypted for Impact\r\nSource: https://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nhttps://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users/"
	],
	"report_names": [
		"spymax-a-fake-wedding-invitation-app-targeting-indian-mobile-users"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434732,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b8ab1c40ec561c070f1e2b53d6b3b0fc0281e9d7.pdf",
		"text": "https://archive.orkl.eu/b8ab1c40ec561c070f1e2b53d6b3b0fc0281e9d7.txt",
		"img": "https://archive.orkl.eu/b8ab1c40ec561c070f1e2b53d6b3b0fc0281e9d7.jpg"
	}
}