Two tales and one Antidot(e) — a new mobile malware campaign
in Poland
By mvaks
Published: 2025-02-12 · Archived: 2026-04-05 22:47:23 UTC
4 min read
Feb 12, 2025
Recently, the Polish cyber threat landscape has seen a growing number of malicious mobile applications. In
addition to identifying the apps impersonating shopping platforms such as OLX and Allegro, as well as the Polish
bank PKO, which were described in the previous article, a new mobile malware campaign involving the Antidot
malware has been detected.
Antidot was first described by researchers from Cyble in May 2024. At that time, it was found masquerading as
Google Play updates in detected campaigns. The malware features overlay and keylogging capabilities and
includes a VNC module, allowing attackers to remotely control infected devices.
In recent campaigns in Poland, cybercriminals have employed an intriguing scenario involving a supposed update
for the Google Chrome application. On compromised Polish websites, they placed scripts that, when visited by an
unsuspecting victim, displayed a message urging them to update their software. If accessed from a computer using
Safari, Google Chrome, or Edge, a .dmg file belonging to the SocGholish malware family was downloaded,
ultimately leading to an infection with the Lumma Stealer.
Meanwhile, if accessed from a mobile device, a message appeared stating that the site was using a new Chromium
engine, prompting the download of an .apk file named Update_130.1.6723.108.apk . The file’s name,
resembling a legitimate update, was intended to make the victim’s less suspicious. The victim was then instructed
to grant permission for installing apps from third-party sources.
Press enter or click to view image in full size
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 1 of 11

Press enter or click to view image in full size
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 2 of 11

After installation on the device, an icon impersonating Google Chrome appeared on the home screen.
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 3 of 11

The icon of the fake application (on the right) slightly differs from the original application (on the left).
The application also requested permission to send notifications.
Additionally, it asked for permissions to install extra applications — the downloaded app was a dropper, meaning
it contained another malicious application.
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 4 of 11

After approving the installation, differences in the app icons could be noticed — the original one on top and the
fake one below.
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 5 of 11

After granting permission, a request to install the Update application appears.
The hidden secondary application also requested Accessibility access to take control of the device.
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 6 of 11

https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 7 of 11

Once permissions were granted, a loading screen appeared for the victim, serving as a cover for malicious
activities running in the background.
Get mvaks’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
The victim’s screen becomes locked and it is very difficult to get out of it.
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 8 of 11

So far, two compromised websites following this attack scenario have been identified in Poland. Both distributed
applications were connecting to the same C2, but their checksums differed.
The malware is obfuscated using a custom encryption code and packed with JSONPacker.
Code connected with accessibility services (obfuscated names with long numbers)
Press enter or click to view image in full size
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 9 of 11

And encryption code:
Press enter or click to view image in full size
Press enter or click to view image in full size
In the dex file, we find the application’s C2:
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 10 of 11

Press enter or click to view image in full size
IOCs
Chrome (dropper) com.hilabilu.device 36b70e1789115dc4edfef8b7379f018f
Antidot com.rocanoji.platform f6961a4bbd916f1e85f6a954f1155fb4
Chrome (dropper) com.zabogutajo.associative 83cc7472eb4efc947f3d7c1ebd410e85
Update (Antidot) com.fagulave.data 0772b1116df1586b419acfbff9f8d96c
C2 https:
Source: https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f
Page 11 of 11