An Android phishing campaign named “Wedding Invitation” utilizes the SpyMax RAT to steal banking and personal information from Indian mobile users through a malicious APK distributed via WhatsApp. The malware collects keystrokes, intercepts notifications for OTPs, and exfiltrates compressed data to a C2 server to facilitate fraudulent activities. #SpyMax #WeddingInvitation #AndroidRAT #IndianMobileUsers
Keypoints
- The “Wedding Invitation.apk” is a SpyMax Android RAT disguised as a wedding invitation sent via WhatsApp to Indian users.
- The malware requests the user to set it as the default Home app and enable installation from unknown sources to deploy an additional malicious app “com.android.pictach”.
- It obtains permissions to send and view SMS messages and access contacts, enabling extensive data theft.
- The RAT logs keystrokes in external storage and intercepts notifications to collect sensitive information such as bank OTPs and 2FA codes.
- Collected data is compressed and sent to a C2 server at IP 104.234.167[.]145 over port 7860 for threat actor control.
- The malware checks for the presence of security products on the device potentially to evade detection or disable them.
- Users are advised to avoid installing apps from unofficial sources and use security products like K7 Mobile Security to protect their devices.
MITRE Techniques
- [T1027] Obfuscated Files or Information – The malware uses obfuscated data and virtualization evasion techniques as indicated by IP obfuscation (‘C2 URL’).
- [T1083] File and Directory Discovery – Creates directories and logs keystrokes on external storage (‘Creating Log files’).
- [T1518] Security Software Discovery – Checks for installed mobile security products to potentially disable or avoid detection (‘Checks for the presence of security related products’).
- [T1114] Email Collection (adapted for SMS) – Collects SMS and clipboard data from the device (‘Collects the clipboard information’, ‘Collects the SMS information’).
- [T1041] Exfiltration Over C2 Channel – Sends gzip compressed stolen data to C2 server (‘DATA compression using gZIPOutputStream’).
- [T1071] Application Layer Protocol – Communicates with C2 over TCP and non-standard port 7860 (‘TCP connection with the C2 server’).
- [T1566] Phishing – Delivered via WhatsApp link posing as a wedding invitation to trick users into installing the APK (‘phishing campaign targeting Indian Mobile users’).
Indicators of Compromise
- [File Hashes] Malicious APKs identified – c58b2bacd7c34ef998497032448e3095 (com.cristal.bristral.tristal.mistral), 66a7fd9bd39b1ba0c097698b68fd94a7 (com.android.pictach)
- [IP Address] C2 Server Communications – 104.234.167[.]145 used for data exfiltration and command control
- [Package Names] Malicious apps involved – com.android.pictach (secondary app installed), com.cristal.bristral.tristal.mistral (primary APK)