VexTrio and it’s malicious apps
The malicious ad tech purveyor known as VexTrio Viper actively develops several malicious apps that appear on Apple and Google’s official app storefronts, disguising themselves as seemingly useful applications.
These apps masquerade as VPNs, device “monitoring” apps, RAM cleaners, dating services, and spam blockers, according to an exhaustive analysis shared by DNS threat intelligence firm Infoblox with The Hacker News.
“They released apps under several developer names, including HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media,” the company stated. “Available in the Google Play and Apple store, these apps have garnered millions of downloads in total.”
Monthly Payments
Once users install these fake apps, they deceive them into signing up for subscriptions that become difficult to cancel, inundate them with ads, and extract personal information like email addresses. Notably, LocoMind previously received a warning from Cyjax as part of a phishing campaign that served ads falsely claiming their devices had sustained damage.
One such Android app, Spam Shield Block, claims to be a spam blocker for push notifications but, in reality, charges users multiple times after convincing them to enroll in a subscription.
“Right away, it asks for money, and if you don’t pay, the ads are so disruptive that I uninstalled it before I could even try it,” one user remarked in a review of the app on the Google Play Store.
Another review stated, “This app is supposed to cost $14.99 a month. During February, I have been billed weekly for $14.99, which totals $70 monthly or $720 a year. NOT WORTH IT. I also have problems trying to uninstall it. They tell you one price and then charge you something else. They’re probably hoping you won’t notice or that it will be too late to get a refund. All I want is this junk off my phone.”
How threat actors leverage compromised sites and smartlinks to earn money
The new findings reveal the scale of the multinational criminal enterprise that VexTrio Viper represents. This includes operating traffic distribution services (TDSes) to redirect massive volumes of internet traffic to scams through their advertising networks since 2015, as well as managing payment processors like Pay Salsa and email validation tools such as DataSnap.
“VexTrio and their partners succeed partly because they obfuscate their businesses,” the company explained. “However, a larger part of their success likely stems from their focus on fraud, where they perceive less risk of consequences.”
Even WordPress Websites
VexTrio operates a commercial affiliate network, acting as an intermediary between malware distributors who compromise various WordPress websites with malicious injects (known as publishing affiliates) and threat actors who advertise various fraudulent schemes ranging from sweepstakes to crypto scams (known as advertising affiliates).
Experts assess that a shell company called AdsPro Group created the TDS, with key figures behind the organization hailing from Italy, Belarus, and Russia, engaging in fraudulent activity since at least 2004. They expanded their operations to Bulgaria, Moldova, Romania, Estonia, and the Czech Republic around 2015. In total, over 100 companies and brands have links to VexTrio.
“Russian organized crime groups began building an empire within ad tech around 2015,” Dr. Renée Burton, VP of Infoblox Threat Intel, told The Hacker News. “VexTrio stands out as a key group within this industry, but other groups also exist. All types of cybercrime, from dating scams to investment fraud and information theft, utilize malicious ad tech, and it often goes unnoticed.”
What makes this threat actor particularly notable is its control over both the publishing and advertising sides of affiliate networks through a vast network of interconnected companies like Teknology, Los Pollos, Taco Loco, and Adtrafico. In May 2024, Los Pollos reported having 200,000 affiliates and over 2 billion unique users each month.
How the scam works
The scams generally unfold in this manner: Unsuspecting users who land on a legitimate but infected site get routed through a TDS under VexTrio’s control, which then directs them to scam landing pages. This process occurs through a smartlink that cloaks the final landing page and complicates analysis.
Los Pollos and Adtrafico function as cost-per-action (CPA) networks, allowing publishing affiliates to earn a commission when a site visitor performs a desired action. This could involve accepting a website notification, providing personal details, downloading an app, or submitting credit card information.
Additionally, VexTrio has emerged as a major spam distributor, reaching millions of potential victims by leveraging lookalike domains of popular mail services like SendGrid (“sendgrid[.]rest”) and MailGun (“mailgun[.]fun”) to facilitate its operations.
Another significant aspect involves using cloaking services like IMKLO to disguise real domains and evaluate criteria such as the user’s location, device type, and browser, thereby determining the exact nature of content to deliver.
Source: TheHackerNews
Read more at Impreza News
