Redazione RHC : 7 August 2025 21:52
The complex infrastructure of the fraudulent ad network VexTrio Viper has returned to the spotlight after researchers at Infoblox revealed details of a massive fake mobile app scheme.
Under the guise of legitimate services—from VPNs to RAM cleaners, spam filters to dating apps—fraudsters inserted malicious programs into the official Apple and Google app stores. These programs were distributed under the guise of various purported developers, including HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media. The total number of downloads is in the millions.
Once installed, these applications forced users to accept opaque terms, tricked them into providing personal data, bombarded the device with aggressive advertising, and made it difficult to uninstall. For example, an application called Spam Shield Block, disguised as an anti-spam tool, immediately demanded payment, and if the user refused, advertising made using the device unbearable. Users complained about unreliable subscription prices, multiple charges, and the inability to uninstall—actions clearly aimed at stealthily extracting funds.
However, mobile apps are just the tip of the iceberg. VexTrio operates a network of fraudulent activities, including traffic distribution systems (TDS) that redirect users from hacked sites to fake pages. These TDS were disguised using so-called smartlinks, intelligent links that reveal the final address only at the last moment and adapt to the victim: their geographic location, device type, and browser. This allows them to bypass filters and complicates analysis by specialists.
Traffic to these traps is initially generated through hacked WordPress sites containing malicious code. Scammers use these sites to distribute fake advertisements, from lotteries to cryptocurrency scams.
Interestingly, the organization controls not only the advertising portion, but also the entire distribution chain: sending emails, processing payment data, and validating postal addresses. For example, the DataSnap service verifies the validity of emails, and Pay Salsa collects payments. Email spam is sent via fake domains that appear to be legitimate services like SendGrid and MailGun.
To hide the final domains and circumvent checks, the IMKLO service is used. This service filters incoming traffic and determines whether to display a deceptive page or hide it from the inspectors. This fine-tuning makes the campaign virtually undetectable.
The authors of the report emphasize that the success of such schemes is guaranteed not only by technical sophistication, but also by a legal gray area: fraudsters try to avoid direct viruses and malicious actions, remaining within the realm of deception and social engineering, where accountability is less common.
The main problem with this threat is the perception of such schemes as “less dangerous” than malware infections. While public attention is focused on Trojans and exploits, mass fraud involving subscriptions, credit cards, and personal data remains in the shadows. Developing digital hygiene training and rethinking attitudes toward “soft” scams is a key task in the fight against this type of crime.
Redazione