Analysis of malicious mobile applications impersonating popular Polish apps — OLX, Allegro, IKO By mvaks Published: 2025-02-09 · Archived: 2026-04-05 14:57:20 UTC Cybercriminals are once again exploiting the popularity of online marketplaces by creating malicious mobile applications that imitate well-known platforms such as OLX and Allegro or popular banking applications. These fraudulent apps are designed to deceive unsuspecting users into providing personal and financial information, ultimately leading to potential identity theft and financial loss. These applications were uncovered through an analysis of a malware repository, rather than a known scam scenario. 1.OLX Payments (TrickMo) The first analyzed application impersonates OLX, a well-known online marketplace operating in Poland. The app, named OLX Payments suggests that it may have been designed for a phishing campaign involving fake purchase payment requests. This malware belongs to the TrickMo family, a well-documented strain known for its advanced capabilities in bypassing security measures and stealing sensitive user information. We begin the analysis by examining the AndroidManifest.xml file, which defines the app’s core behaviors and permissions. In this file, we observe the REQUEST_INSTALL_PACKAGES permission, which allows the malware to install additional applications on the device. This alone should raise a red flag, as it enables the attacker to deploy further malicious payloads without user consent. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 1 of 18 During the permissions analysis, we notice an interesting string in the android:name field under the section: com.example.tiramisudropper.b. This further confirms that the analyzed file is indeed a dropper. Since APK files are essentially ZIP archives, we can unpack them to examine their contents in detail. Tools like WinRAR or dedicated APK analysis tools allow us to extract and analyze the internal structure of the application. A closer look at the assets directory is particularly important, as additional malicious payloads are often stored there. Attackers frequently use this directory to conceal secondary APKs, which the dropper may install later without user consent. Since we have a basic understanding of the malware’s static properties, we proceed with dynamic analysis to observe its behavior on a test device. After installation, an app that resembles the original OLX app appears on our device screen. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 2 of 18 When opened, the application prompts the user to update the Google Services application. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 3 of 18 After accepting the installation of third-party applications, a notification appears on the screen asking you to agree to the installation of Google Services application. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 4 of 18 https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 5 of 18 The application then asks the user via instructions on the supposedly correct application work to give it Accessibility Services permissions to take control of the device. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 6 of 18 After obtaining the necessary permissions, a website opens, which was unavailable at the time of analysis. However, according to analyses conducted by the cybersecurity team of the Polish Financial Supervision Authority (CSIRT KNF), the next step involves displaying a notification requesting to log into user’s bank account to receive the payment. Press enter or click to view image in full size https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 7 of 18 The analysis of the application reveals a ZIP file named ZldSO.zip , which contains four DEX files. In the classes3.dex file, we identify the campaign's C2 address along with the remaining configuration of the application. Press enter or click to view image in full size Press enter or click to view image in full size IOCs: OLX Payments.apk nmrdiw.xhckto.wotzbp 8ebf4bdf9326073fa0577a2e1950e1af deper.apk lansa.sis722.sers 2d34dbb4167ebb371e33f3ce700fdbc8 C2 hxxp://traktortany.org/c 2.Allegro (SpyNote) https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 8 of 18 Another fake app using the same theme was an app impersonating another popular platform for buying products — Allegro. In this case, the malware came from the SpyNote family. Spynote is a malicious tool that abuses accessibility services and other Android permissions in order to collect SMS messages and contacts list, record audio and screen, perform keylogging activities, bypass 2FA and track GPS locations. Get mvaks’s stories in your inbox Join Medium for free to get updates from this writer. Remember me for faster sign in By analyzing AndroidManifest.xml file, we also observe the possibility of installing additional applications. This indicates that the application is a dropper. Analyzing the application code, we see the name of the SpyNote family software package that will be installed by the original application. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 9 of 18 Looking through the apk file resources in the assets folder, we see the file childapp.apk, which is the actual malware. Press enter or click to view image in full size After installing the dropper on the phone, a new application with the Allegro logo appears on our screen. When the app is opened, the user is shown a notification that an update is being downloaded, and then asked to install it. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 10 of 18 The application is sneakily trying to gain access to Accessibility Services through which it will be able to control the victim’s device. Press enter or click to view image in full size https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 11 of 18 Press enter or click to view image in full size The user accepts the consents and gives the app unknowingly the rights to manage the device. Press enter or click to view image in full size https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 12 of 18 The user is then shown the website wyplacic2750pln[.]info, which at the time of analysis was no longer available. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 13 of 18 However, by analyzing the results from the URLScan page, it is possible to find the appearance of the page at the time of analysis. Press enter or click to view image in full size As you can see, the user was asked to select his bank to receive 2750 PLN, according to the name of the site. The address belonging to Turkey indicates the likely origin of the threat actor behind the campaign. Analyzing the IP address on which the site was hosted on, further domains used to phish for customer data were identified. Press enter or click to view image in full size https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 14 of 18 Analyzing the code of the dropped pplication, user messages in different languages were observed. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 15 of 18 The final analysis process reached the application configuration, which was encoded in base64. In the CLINAME field in the configuration, PL is entered, which of course indicates the target country of the campaign. https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 16 of 18 IOCs: Allegro_Dropper com.appd.instll.load 01feacb77afef8a37f0476fdec8e74c2 childapp.apk traveling.nursery.cohen 52e3430121de4de3885b51803d69cce8 C2 212.224.88.14:7771 2750allegr0.info wyplacic2750pln.info 3.IKO (NGate) The third malicious application observed is impersonating the official application of one of Polish banks. This time the malware is from the NGate family, which was described last year by ESET, and whose campaigns were https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 17 of 18 observed in the Czech Republic. The aim of the cybercriminals in this case is to steal card PIN number and extend NFC coverage using the NFCGate tool, and thus use the card to, for example, withdraw cash from the victim’s account. In addition, the name of the application package de.tu_darmstadt.seemoo.nfcgate indicates the use of the tool. Once installed, the app asks for customer verification by tapping the credit card on the phone, and then asks the potential victim to enter the card’s PIN. By analyzing the application code, we can find its configuration. Press enter or click to view image in full size IOCs: package de.tu_darmstadt.seemoo.nfcgate 2cb20971a972055187a5d4ddb4668cc2 C2 38.180.222.230:5577 Source: https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a 320d https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d Page 18 of 18