- Fake apps linked to VexTrio Viper appeared on official Apple and Google app stores, posing as useful utilities.
- These apps trick users into high-cost subscriptions, bombard them with ads, and collect personal data.
- VexTrio manages a large network of fraudulent advertising affiliates, operating worldwide for years.
- The group uses smartlinks and compromised websites to route users to scams, hiding the final landing page.
- Experts highlight the scale and sophistication of this multinational criminal enterprise in online ad tech fraud.
A network of fake mobile applications developed by a group called VexTrio Viper has been found on both the Apple App Store and Google Play Store. Security researchers report these apps appear to be tools like VPNs, device monitors, RAM cleaners, dating platforms, and spam blockers, but their real purpose is to scam users.
The apps use developer names such as HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media, according to threat intelligence firm Infoblox. Combined, these apps have been downloaded millions of times. After installation, they prompt users to sign up for subscriptions that are hard to cancel, flood devices with ads, and gather information such as email addresses.
One specific example is the Android app Spam Shield block, which claims to block push notification spam. Infoblox reports that instead of delivering its promised function, the app asks for payment immediately, with ads interrupting users who do not pay. Users have reported being charged as much as $70 per month—over $700 per year—despite thinking the subscription would cost $14.99 per month. Some also note difficulties in uninstalling the app.
Infoblox’s analysis—shared here—details how VexTrio operates a complex fraud scheme. The group has run traffic distribution services (TDS) since 2015. These services redirect large amounts of internet traffic to scams using a web of affiliate networks, supported by payment processors like Pay Salsa and email tools such as DataSnap.
According to Infoblox, “VexTrio and their partners are successful in part because their businesses are obfuscated. But a larger part of their success is likely because they stick to fraud, where they know there is less risk of consequences.”
The affiliate network structure lets VexTrio act as a link between Malware distributors (who compromise websites, often using WordPress) and other scammers advertising fraudulent schemes. The group’s shell companies, including AdsPro Group, Teknology, Los Pollos, Taco Loco, and Adtrafico, are connected to operations across Italy, Belarus, Russia, Bulgaria, Moldova, Romania, Estonia, and the Czech Republic. In May 2024, Los Pollos claimed over 200,000 affiliates and 2 billion monthly users.
Users who visit infected websites are sent through VexTrio’s TDS, then redirected—via smartlinks—to scam pages. These links hide the final page to make detection difficult and adjust scam tactics based on the visitor’s details.
VexTrio also spreads spam using lookalike domains like “sendgrid[.]rest” or “mailgun[.]fun” and uses cloaking tools (such as IMKLO) to tailor content based on a user’s device and location. Infoblox’s Dr. Renée Burton notes that “all types of cybercrime, from dating scams to investment fraud and information stealers use malicious adtech, and it goes largely unnoticed.”
Security experts point out that the focus on malware sometimes overshadows the threat of scams. They advise increased Cybersecurity awareness to address both equally.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Bitcoin Fee Cuts Spark Network Fork Risks, “Wreck” Compact Blocks
- Delhi Court Orders WazirX Owner to Disclose Binance Deal, Hack Probe
- Microsoft Unveils AI Agent ‘Project Ire’ for Autonomous Malware Detection
- Modi to Visit China for SCO Summit, De-Dollarization on Agenda
- Marex Adopts JP Morgan’s Kinexys for Instant Cross-Border Payments
