The malicious ad tech purveyor known as VexTrio Viper has been observed developing several malicious apps that have been published on Apple and Google’s official app storefronts under the guise of seemingly useful applications.
These apps masquerade as VPNs, device “monitoring” apps, RAM cleaners, dating services, and spam blockers, DNS threat intelligence firm Infoblox said in an exhaustive analysis shared with The Hacker News.
“They released apps under several developer names, including HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media,” the company said. “Available in the Google Play and Apple store, these have been downloaded millions of times in aggregate.”
These fake apps, once installed, deceive users into signing up for subscriptions that are difficult to cancel, flood them with ads, and part with personal information like email addresses. It’s worth noting that LocoMind was previously flagged by Cyjax as part of a phishing campaign serving ads that falsely claim their devices have been damaged.
One such Android app is Spam Shield block, which purports to be a spam blocker for push notifications but, in reality, charges users several times after convincing them to enroll in a subscription.
“Right away it asks for money, and if you don’t, the ads are so disruptive that I uninstalled it before I was even able to try it,” one user said in a review of the app on the Google Play Store.
Another review went: “This app is supposed to be $14.99 a month. During the month of February I have been billed weekly for $14.99 that comes to $70 monthly/$720 a year. NOT WORTH IT. And having problems trying to uninstall it. They tell you one price and then they turn around and charge you something else. They’re probably hoping that you won’t see it. Or it will be too late to get a refund. All I want is this junk off of my phone.”
 |
| How threat actors leverage compromised sites and smartlinks to earn money |
The new findings lay bare the scale of the multinational criminal enterprise that’s VexTrio Viper, which includes operating traffic distribution services (TDSes) to redirect massive volumes of internet traffic to scams through their advertising networks since 2015, as well as managing payment processors such as Pay Salsa and email validation tools like DataSnap.
“VexTrio and their partners are successful in part because their businesses are obfuscated,” the company said. “But a larger part of their success is likely because they stick to fraud, where they know there is less risk of consequences.”
VexTrio is known for running what’s called a commercial affiliate network, serving as an intermediary between malware distributors who have, for example, compromised a collection of WordPress websites with malicious injects (aka publishing affiliates) and threat actors who advertise various fraudulent schemes ranging from sweepstakes to crypto scams (aka advertising affiliates).
The TDS is assessed to be created by a shell company called AdsPro Group, with key figures behind the organization from Italy, Belarus, and Russia engaging in fraudulent activity since at least 2004, before expanding their operations to Bulgaria, Moldova, Romania, Estonia, and the Czechia around 2015. In all, over 100 companies and brands have been linked to VexTrio.
“Russian organized crime groups began building an empire within ad tech starting in or around 2015,” Dr. Renée Burton, VP of Infoblox Threat Intel, told The Hacker News. “VexTrio is a key group within this industry, but there are other groups. All types of cybercrime, from dating scams to investment fraud and information stealers use malicious adtech, and it goes largely unnoticed.”
But what makes the threat actor notable is that it controls both the publishing and advertising sides of affiliate networks through a vast network of intertwined companies like Teknology, Los Pollos, Taco Loco, and Adtrafico. In May 2024, Los Pollos said it had 200,000 affiliates and over 2 billion unique users every month.
The scams, more broadly, play out in this manner: Unsuspecting users who land on a legitimate-but-infected site are routed through a TDS under VexTrio’s control, which then leads the users to scam landing pages. This is achieved by means of a smartlink that cloaks the final landing page and hinders analysis.
Los Pollos and Adtrafico are both cost-per-action (CPA) networks that allow publishing affiliates to earn a commission when a site visitor performs an intended action. This could be accepting a website notification, providing their personal details, downloading an app, or giving credit card information.
It has also been found to be a major spam distributor that reaches out to millions of potential victims, leveraging lookalike domains of popular mail services like SendGrid (“sendgrid[.]rest”) and MailGun (“mailgun[.]fun”) to facilitate the service.
Another significant aspect is the use of cloaking services like IMKLO to disguise the real domains and evaluate criteria like the user’s location, their device type, their browser, and then determine the exact nature of content to be delivered.
“The security industry, and much of the world, is more focused on malware right now,” Burton said. “This is in some sense victim blaming, in which there is a belief that people who fall for scams somehow deserve to be scammed more.”
“So, stealing your credit card information via malware – even when it requires some ridiculous stroke of keys, like the current fake captcha/ClickFix attacks – is somehow ‘worse’ than if you are conned into giving it up. Cybersecurity education and greater awareness for treating scams with the same severity as malware are two ways to combat malicious adtech.”