Fraudulent VPN and spam blocking applications associated with VexTrio are being utilized for advertisement deception and subscription scams.

VexTrio Viper, a malicious ad tech purveyor, has been identified as the developer behind several deceptive applications that have been published on both Apple and Google’s official app storefronts. These applications, which masquerade as useful tools such as VPNs, device monitoring apps, RAM cleaners, dating services, and spam blockers, have been downloaded millions of times. According to an exhaustive analysis by DNS threat intelligence firm Infoblox, VexTrio Viper has released these apps under various developer names, including HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media. Once installed, these fraudulent apps trick users into signing up for subscriptions that are notoriously difficult to cancel, inundate them with advertisements, and extract personal information like email addresses. Notably, LocoMind has previously been flagged for its involvement in a phishing campaign that falsely claimed users’ devices were damaged.

One particularly egregious example is the Android app Spam Shield Block, which claims to be a spam blocker for push notifications but instead charges users multiple times after luring them into a subscription. User reviews on the Google Play Store highlight the app’s deceptive practices, with one user stating that the app demands payment immediately, while another reported being billed weekly at a rate that far exceeded the advertised monthly fee. The reviews express frustration over the difficulty of uninstalling the app and the misleading pricing structure, suggesting that VexTrio Viper is banking on users not noticing the discrepancies in charges. The findings reveal the extensive operations of VexTrio Viper, which has been redirecting significant volumes of internet traffic to scams through their advertising networks since 2015. Their success is attributed to the obfuscation of their business practices and a focus on fraudulent activities, where the perceived risk of consequences is minimal. VexTrio operates a commercial affiliate network, acting as an intermediary between malware distributors and those promoting various fraudulent schemes, including sweepstakes and cryptocurrency scams.