VexTrio Hackers Attacking Users via Fake CAPTCHA Robots and Malicious Apps into Google Play and App Store

A sophisticated cybercriminal organization known as VexTrio has been orchestrating a massive fraud empire through deceptive CAPTCHA robots and malicious applications distributed across Google Play and the App Store.

This criminal network, operating for over 15 years, has successfully infiltrated legitimate app stores with fraudulent software that has collectively garnered over one million downloads, while simultaneously conducting extensive spam campaigns targeting millions of users worldwide.

The threat actors behind VexTrio employ a multi-pronged attack strategy that combines fake CAPTCHA verification systems with malicious mobile applications to harvest user data and generate revenue through subscription fraud.

Their infamous robot CAPTCHA prompts users with messages like “PRESS THE ‘ALLOW’ BUTTON TO VERIFY YOU’RE HUMAN!” which serves as a gateway to their broader criminal ecosystem.

This deceptive interface has become synonymous with VexTrio operations and has been documented in numerous security reports over the years.

VexTrio’s operations extend far beyond simple spam, encompassing a comprehensive traffic distribution system (TDS) that delivers fraudulent content across multiple verticals including dating, cryptocurrency, and sweepstakes scams.

Infoblox analysts identified that the organization controls the majority of landing pages delivered through their smartlinks, benefiting doubly from their affiliate network operations.

The group’s infrastructure reveals a complex web of shell companies and technical partnerships that blur the lines between legitimate business and cybercrime.

The criminal organization has developed an extensive portfolio of malicious applications masquerading as legitimate services.

Their app catalog includes fake VPNs, device monitoring tools, spam blockers, and dating applications published under various developer names including HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media.

These applications employ sophisticated social engineering techniques to extract subscription fees from unsuspecting users while bombarding them with intrusive advertisements.

Infection Mechanism and Persistence Tactics

VexTrio’s mobile applications utilize a carefully orchestrated infection chain that begins with seemingly legitimate functionality before transitioning to malicious behavior.

Their spam blocker application, Spam Shield, exemplifies this approach by initially providing basic notification blocking services while displaying fabricated security reports.

The application presents users with fake monitoring interfaces showing blocked spam and malicious notifications, creating an illusion of protection that justifies subscription fees.

The technical implementation reveals DNS records linking malicious applications to VexTrio’s infrastructure.

DNS analysis shows that IP address 136.243.216.249 simultaneously hosts HolaCode, AdsPro Digital, Los Pollos, and multiple scam applications, demonstrating the interconnected nature of their operations.

The applications employ residential proxy networks disguised as VPN services, raising significant privacy concerns as user traffic becomes part of their proxy infrastructure.

VexTrio’s persistence strategy extends beyond individual applications to encompass an entire ecosystem of fraudulent services.

Their email marketing operations utilize lookalike domains of established services such as SendGrid and MailGun, with domains like sendgrid.rest and mailgun.fun configured with specific SPF records that authorize mail servers at IP address 78.47.103.187.

This infrastructure supports massive spam campaigns that feed victims into their application ecosystem, creating a self-reinforcing cycle of fraud that has enabled the organization to operate with impunity for over a decade while generating substantial criminal profits through subscription scams and data harvesting.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.