- The malicious group VexTrio Viper developed and shared a host of fake apps via legit app stores, new research reveals
- Malicious applications include VPNs, ad-blockers, RAM cleaners, and even online dating services
- VexTrio Viper employs traffic distribution systems (TDSs) to spread malware and other online scams since at least 2015
No matter if you download your VPN app through Google Play or Apple App Store, there’s still a chance it could be a malicious app developed by VexTrio Viper.
In an extensive report, researchers at Infoblox Threat Intel revealed how the fraudulent adtech group published a range of applications on official app stores – from virtual private network (VPN) and ad-blockers to RAM cleaners and even online dating services.
Thought to be active since 2015, VexTrio is a complex criminal enterprise that involves several companies and employs traffic distribution systems (TDSs) to spread malware and other online scams.
At least seven security apps impacted
“They released apps under several developer names, including HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media. […] Available in the Google Play and Apple stores, these have been downloaded millions of times in aggregate,” Infoblox explained to The Hacker News.
Specifically, at least seven applications supposed to offer security tools have been developed by LocoMind, which in 2024 claimed over 500,000 downloads and 50,000 active users for their apps.
These include various VPN services, such as Fast VPN – Super Proxy, and other utility applications, like RAM cleaners.
Once users have installed these applications on their devices, they are bombarded with intrusive ads and prompted to sign up for deceptive subscriptions.
The team at Infoblox Threat Intel has tracked VexTrio’s malicious activities since 2022, publishing various reports throughout the years.
Among these, in June 2025, researchers disclosed a criminal web between WordPress hackers and a traffic distribution system (TDS) operated by the VexTrio group.
In 2024, they also unveiled VexTrio’s massive malicious affiliate program that worked like a food delivery service for criminals.
“In total, the VexTrio enterprise includes nearly a hundred companies and brands. The scope of their activities includes malicious apps and large-scale spamming operations, and as we published a few months ago, they have a special relationship with numerous website hackers,” notes researchers.
How to stay safe
This story is a stark reminder that it isn’t enough for an application to be on an official app store to be safe. You should be even more careful when it comes to a security tool, as cybercriminals are notorious for taking advantage of unprotected devices.
For instance, in April, an investigation found at least 20 free VPN apps with undisclosed Chinese ownership lurking in Apple’s official app store in the US. At least five of these were linked with a Shanghai-based firm believed to have ties with the Chinese military.
While the best VPN services boost your online anonymity and security by encrypting your internet traffic and spoofing your IP address, malicious apps pose risks to your privacy.
As a rule of thumb, you should only download a reliable service with a strong no-log VPN policy and a history of independent third-party audits.
If you aren’t willing to pay for a premium service just yet, I recommend checking Proton VPN and Privado VPN, as they currently are the best free VPNs on the market, according to TechRadar’s reviewers.
That said, our testing confirmed NordVPN as the best all-arounder right now, thanks to great security/privacy features and impeccable performance. Even better, perhaps, you may still be in time to grab TechRadar’s exclusive deal, which expires on August 12, 2025.