287/68 Friday, August 8, 2025
Infoblox, a leading DNS threat intelligence firm, has exposed the activities of a global cybercrime syndicate known as “VexTrio Viper.” This group has been distributing fake mobile applications through both the Google Play Store and Apple App Store under various developer names such as HolaCode, LocoMind, Hugmi, and Klover Group. These apps are disguised as useful tools – including VPNs, spam blockers, RAM cleaners, and dating services – but are in fact designed to trick users into subscribing to difficult-to-cancel services, aggressively display ads, and covertly collect personal data.
One of the apps analyzed, “Spam Shield block,” claims to block spam notifications but instead charges excessive and recurring fees, often without clear prior notice. Some users reported unexpected charges of $14.99 per week, and noted that the app was difficult to uninstall. Investigations revealed that VexTrio operates a vast hidden network, controlling both fraudulent ad systems and content distribution channels via shell companies created to avoid cybersecurity scrutiny. These include AdsPro Group and affiliate networks like Los Pollos, Taco Loco, and Adtrafico, collectively reaching over 2 billion users per month worldwide.
Infoblox further noted that VexTrio is linked to a Russian cybercrime organization that has been expanding its operations since 2015. The group uses Traffic Distribution Systems (TDS) to automatically redirect visitors from compromised websites to malicious landing pages, and relies on domain cloaking services like IMKLO to evade detection. Researchers warned that this form of cybercrime often goes unnoticed, as the public tends to focus on malware threats, despite online ad scams being equally harmful. The report urges increased public awareness and education around fraudulent ads and malicious apps in today’s digital landscape.
Source https://thehackernews.com/2025/08/fake-vpn-and-spam-blocker-apps-tied-to.html
