{
	"id": "c88b150c-7357-4071-b93f-c87ecd3fecef",
	"created_at": "2026-04-06T00:06:30.809674Z",
	"updated_at": "2026-04-10T03:20:32.408875Z",
	"deleted_at": null,
	"sha1_hash": "8b214f3946e13081b64a160b30c7665f21cc3302",
	"title": "Analysis of malicious mobile applications impersonating popular Polish apps — OLX, Allegro, IKO",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3197864,
	"plain_text": "Analysis of malicious mobile applications impersonating popular\r\nPolish apps — OLX, Allegro, IKO\r\nBy mvaks\r\nPublished: 2025-02-09 · Archived: 2026-04-05 14:57:20 UTC\r\nCybercriminals are once again exploiting the popularity of online marketplaces by creating malicious mobile\r\napplications that imitate well-known platforms such as OLX and Allegro or popular banking applications. These\r\nfraudulent apps are designed to deceive unsuspecting users into providing personal and financial information,\r\nultimately leading to potential identity theft and financial loss.\r\nThese applications were uncovered through an analysis of a malware repository, rather than a known scam\r\nscenario.\r\n1.OLX Payments (TrickMo)\r\nThe first analyzed application impersonates OLX, a well-known online marketplace operating in Poland. The app,\r\nnamed OLX Payments suggests that it may have been designed for a phishing campaign involving fake purchase\r\npayment requests.\r\nThis malware belongs to the TrickMo family, a well-documented strain known for its advanced capabilities in\r\nbypassing security measures and stealing sensitive user information.\r\nWe begin the analysis by examining the AndroidManifest.xml file, which defines the app’s core behaviors and\r\npermissions. In this file, we observe the REQUEST_INSTALL_PACKAGES permission, which allows the malware\r\nto install additional applications on the device. This alone should raise a red flag, as it enables the attacker to\r\ndeploy further malicious payloads without user consent.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 1 of 18\n\nDuring the permissions analysis, we notice an interesting string in the android:name field under the \u003cactivity\u003e\r\nsection: com.example.tiramisudropper.b. This further confirms that the analyzed file is indeed a dropper.\r\nSince APK files are essentially ZIP archives, we can unpack them to examine their contents in detail. Tools like\r\nWinRAR or dedicated APK analysis tools allow us to extract and analyze the internal structure of the application.\r\nA closer look at the assets directory is particularly important, as additional malicious payloads are often stored\r\nthere. Attackers frequently use this directory to conceal secondary APKs, which the dropper may install later\r\nwithout user consent.\r\nSince we have a basic understanding of the malware’s static properties, we proceed with dynamic analysis to\r\nobserve its behavior on a test device.\r\nAfter installation, an app that resembles the original OLX app appears on our device screen.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 2 of 18\n\nWhen opened, the application prompts the user to update the Google Services application.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 3 of 18\n\nAfter accepting the installation of third-party applications, a notification appears on the screen asking you to agree\r\nto the installation of Google Services application.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 4 of 18\n\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 5 of 18\n\nThe application then asks the user via instructions on the supposedly correct application work to give it\r\nAccessibility Services permissions to take control of the device.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 6 of 18\n\nAfter obtaining the necessary permissions, a website opens, which was unavailable at the time of analysis.\r\nHowever, according to analyses conducted by the cybersecurity team of the Polish Financial Supervision\r\nAuthority (CSIRT KNF), the next step involves displaying a notification requesting to log into user’s bank account\r\nto receive the payment.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 7 of 18\n\nThe analysis of the application reveals a ZIP file named ZldSO.zip , which contains four DEX files. In the\r\nclasses3.dex file, we identify the campaign's C2 address along with the remaining configuration of the\r\napplication.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nIOCs:\r\nOLX Payments.apk nmrdiw.xhckto.wotzbp 8ebf4bdf9326073fa0577a2e1950e1af\r\ndeper.apk lansa.sis722.sers 2d34dbb4167ebb371e33f3ce700fdbc8\r\nC2 hxxp://traktortany.org/c\r\n2.Allegro (SpyNote)\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 8 of 18\n\nAnother fake app using the same theme was an app impersonating another popular platform for buying products\r\n— Allegro. In this case, the malware came from the SpyNote family.\r\nSpynote is a malicious tool that abuses accessibility services and other Android permissions in order to collect\r\nSMS messages and contacts list, record audio and screen, perform keylogging activities, bypass 2FA and track\r\nGPS locations.\r\nGet mvaks’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nBy analyzing AndroidManifest.xml file, we also observe the possibility of installing additional applications. This\r\nindicates that the application is a dropper.\r\nAnalyzing the application code, we see the name of the SpyNote family software package that will be installed by\r\nthe original application.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 9 of 18\n\nLooking through the apk file resources in the assets folder, we see the file childapp.apk, which is the actual\r\nmalware.\r\nPress enter or click to view image in full size\r\nAfter installing the dropper on the phone, a new application with the Allegro logo appears on our screen.\r\nWhen the app is opened, the user is shown a notification that an update is being downloaded, and then asked to\r\ninstall it.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 10 of 18\n\nThe application is sneakily trying to gain access to Accessibility Services through which it will be able to control\r\nthe victim’s device.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 11 of 18\n\nPress enter or click to view image in full size\r\nThe user accepts the consents and gives the app unknowingly the rights to manage the device.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 12 of 18\n\nThe user is then shown the website wyplacic2750pln[.]info, which at the time of analysis was no longer available.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 13 of 18\n\nHowever, by analyzing the results from the URLScan page, it is possible to find the appearance of the page at the\r\ntime of analysis.\r\nPress enter or click to view image in full size\r\nAs you can see, the user was asked to select his bank to receive 2750 PLN, according to the name of the site.\r\nThe address belonging to Turkey indicates the likely origin of the threat actor behind the campaign.\r\nAnalyzing the IP address on which the site was hosted on, further domains used to phish for customer data were\r\nidentified.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 14 of 18\n\nAnalyzing the code of the dropped pplication, user messages in different languages were observed.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 15 of 18\n\nThe final analysis process reached the application configuration, which was encoded in base64.\r\nIn the CLINAME field in the configuration, PL is entered, which of course indicates the target country of the\r\ncampaign.\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 16 of 18\n\nIOCs:\r\nAllegro_Dropper com.appd.instll.load 01feacb77afef8a37f0476fdec8e74c2\r\nchildapp.apk traveling.nursery.cohen 52e3430121de4de3885b51803d69cce8\r\nC2 212.224.88.14:7771\r\n2750allegr0.info\r\nwyplacic2750pln.info\r\n3.IKO (NGate)\r\nThe third malicious application observed is impersonating the official application of one of Polish banks. This\r\ntime the malware is from the NGate family, which was described last year by ESET, and whose campaigns were\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 17 of 18\n\nobserved in the Czech Republic.\r\nThe aim of the cybercriminals in this case is to steal card PIN number and extend NFC coverage using the\r\nNFCGate tool, and thus use the card to, for example, withdraw cash from the victim’s account.\r\nIn addition, the name of the application package de.tu_darmstadt.seemoo.nfcgate indicates the use of the tool.\r\nOnce installed, the app asks for customer verification by tapping the credit card on the phone, and then asks the\r\npotential victim to enter the card’s PIN.\r\nBy analyzing the application code, we can find its configuration.\r\nPress enter or click to view image in full size\r\nIOCs:\r\npackage de.tu_darmstadt.seemoo.nfcgate 2cb20971a972055187a5d4ddb4668cc2\r\nC2 38.180.222.230:5577\r\nSource: https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a\r\n320d\r\nhttps://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d"
	],
	"report_names": [
		"analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d"
	],
	"threat_actors": [],
	"ts_created_at": 1775433990,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b214f3946e13081b64a160b30c7665f21cc3302.pdf",
		"text": "https://archive.orkl.eu/8b214f3946e13081b64a160b30c7665f21cc3302.txt",
		"img": "https://archive.orkl.eu/8b214f3946e13081b64a160b30c7665f21cc3302.jpg"
	}
}