VexTrio TDS System Developing Several Malicious Apps Mimic as VPNs to Publish in Google Play and App Store

The notorious VexTrio traffic distribution system (TDS) has expanded its cybercriminal operations beyond traditional web-based scams to include the development and distribution of malicious mobile applications designed to masquerade as legitimate VPN services.
.
This sophisticated threat actor, which has maintained a dominant presence in the malicious advertising ecosystem since 2015, is now leveraging app stores to deliver fraudulent software directly to unsuspecting mobile users worldwide.

VexTrio’s mobile app strategy represents a significant evolution in their attack methodology, moving from compromised websites and spam campaigns to direct app store distribution.

The threat group has developed multiple fake applications that pose as security tools, including VPN services and system optimizers, which are then submitted to major app distribution platforms.

These malicious apps serve as vehicles for the same fraudulent schemes that have made VexTrio infamous in the cybersecurity community, including dating scams, cryptocurrency fraud, and push notification abuse.

Through their subsidiary company LocoMind, which operates under the broader Apperito umbrella, VexTrio has created an app development infrastructure capable of producing and maintaining multiple fraudulent applications simultaneously.

Infoblox analysts identified that LocoMind has been responsible for developing at least seven different malicious applications, including various VPN clients and system utility tools marketed as security solutions for mobile devices.

The group’s flagship mobile offerings include FastVPN and several variants of system optimization tools disguised as “RAM cleaners” and performance boosters.
.
These applications, while appearing legitimate in app store listings, contain embedded code that redirects users into VexTrio’s established TDS infrastructure once installed.
.
The apps utilize sophisticated obfuscation techniques to avoid detection by automated security scanning systems employed by app stores.

Infection Mechanism and TDS Integration

VexTrio’s mobile applications employ a multi-stage infection process that seamlessly integrates with their existing TDS infrastructure.

Upon installation, the malicious apps initially function as advertised, providing basic VPN connectivity or system optimization features to avoid immediate user suspicion.

However, embedded within the application code are tracking mechanisms that profile the user’s device, location, and usage patterns.

The apps communicate with VexTrio’s command and control servers using encrypted channels that mimic legitimate app update requests.

Once sufficient user profiling data has been collected, the applications begin displaying fraudulent advertisements and notifications that appear to originate from the device’s operating system rather than the installed app.

This technique, known as notification hijacking, allows VexTrio to maintain persistence even when users are not actively using the fraudulent application.

The malicious code within these apps includes sophisticated evasion mechanisms designed to detect analysis environments and security researcher tools.

When running on suspected analysis systems, the applications revert to benign behavior, displaying only legitimate functionality while remaining dormant.

This anti-analysis capability has enabled VexTrio’s malicious apps to maintain extended residence periods on major app distribution platforms before detection and removal.

VexTrio’s mobile expansion demonstrates the group’s adaptability and technical sophistication, representing a concerning evolution in their operational capabilities.

The integration of mobile malware distribution with their established TDS infrastructure creates new attack vectors that cybersecurity professionals must prepare to defend against as mobile-first fraud schemes continue to proliferate across global app ecosystems.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial