VexTrio TDS Deploys Malicious VPN Apps on Google Play and App Store

VexTrio, a sophisticated threat actor known for operating a massive traffic distribution system (TDS), has expanded its malicious activities by deploying fake VPN applications on major app stores, including Google Play and the Apple App Store.

Originating from a merger between Italian spammers and Eastern European developers around 2020, VexTrio’s TDS facilitates the redirection of web traffic from compromised sites to fraudulent endpoints, including scareware, cryptocurrency scams, and deceptive mobile apps.

Evolution of VexTrio’s Cybercrime Network

The group’s infrastructure, spanning bulletproof hosting providers and cloud services, supports high-volume operations that affect millions of users globally, with domains ranking in the top 10,000 most popular worldwide as of July 2025.

This evolution underscores VexTrio’s shift from spam-centric tactics to integrated adtech fraud, leveraging affiliate networks like Los Pollos and TacoLoco to monetize black-hat traffic sources.

The deployment of malicious VPN apps represents a critical escalation in VexTrio’s tactics, where seemingly legitimate applications such as FastVPN are engineered to harvest user data and funnel traffic into their TDS ecosystem.

These apps, developed under entities like Apperito and LocoMind, masquerade as security tools promising RAM cleaning and encrypted browsing, but instead embed tracking mechanisms that profile users based on geolocation, device fingerprints, and behavioral patterns.

Once installed, the apps exploit permissions to intercept network traffic, injecting smartlinks that redirect users to cost-per-action (CPA) scams, including push notification abuse and credit card submit offers.

Historical analysis reveals at least seven such apps associated with VexTrio, boasting over 500,000 downloads and 50,000 active users by 2024, achieved through poisoned SEO results and compromised WordPress sites.

Technical Mechanisms

Technically, VexTrio’s VPN apps integrate with their core TDS via domains like nxt-psh[.]com, which handle push monetization by repeatedly prompting users for notification permissions with adjustable aggression parameters.

This creates persistence, bombarding victims with clickbait leading to IVR offers or blank CC submits, where affiliates earn payouts exceeding US$100 per lead for high-value fraud like nutra supplements or antivirus scams.

The apps’ backend connects to Swiss-hosted IP ranges under AS203639 and similar autonomous systems, originally leased by Italian founders for dating scam landing pages, now repurposed for crypto fraud and email validation services via tools like DataSnap.

By blending legitimate adtech facades with black-hat affiliations, VexTrio maintains plausible deniability while vetting affiliates through forums like Black Hat World, ensuring only experienced hackers gain access to live smartlinks.

According to the report, The implications extend beyond individual scams, as VexTrio’s operations contribute to a projected US$172 billion in digital fraud costs by 2028, with investment scams alone netting US$16.6 billion from U.S. victims in 2024.

Their convoluted corporate structure, involving nearly 100 entities across Europe and beyond, complicates attribution and takedowns, despite industry efforts that reduced their presence on compromised sites from 50% in 2022 to 40% in 2024.

Security researchers emphasize the need for enhanced app store vetting and DNS-based blocking to disrupt VexTrio’s TDS, as the group continues innovating with features like SmartRotation for varied scam landing pages.

As VexTrio sanitizes its online footprint post-exposures, ongoing monitoring of their Eastern European development hubs and Swiss headquarters remains essential to curb this pervasive threat.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free