A malicious ad technician known as Vextrio Viper has developed several malicious apps published on Apple and Google’s official App Storefronts, and is being developed under the guise of seemingly useful applications.
These apps pretend to be VPNs, device apps, RAM cleaners, dating services, and spam blockers. DNSThreatIntelligence Firm Infoblox says in a thorough analysis shared with hacker news.
“They released apps under several developer names, including Holacode, Mocomind, Hugmi, Klover Group, and Alphascale Media,” the company said. “It’s available on Google Play and the Apple Store, and these have been downloaded in a total of millions of times.”
Once installed, these fake apps will sign up for subscriptions that users find difficult to cancel, flooded with ads, separate personal information such as email addresses. It is worth noting that Mocomind was previously flagged by Cyjax as part of a phishing campaign that offers ads that falsely claim that the device is corrupted.
One such Android app is Spam Shield Block. It claims to be a spam blocker for push notifications, but in reality, it charges users a few times after persuading them to sign up for a subscription.
“We’ll ask for money right away, or the ads are very destructive and we uninstalled them before even trying them out,” one user said in a review of the app on the Google Play Store.
Another review is: “This app should be $14.99 a month. In February, it was billed weekly at $14.99, which would be $70 per month/$720 per year/$720 per year. There’s no problem trying to uninstall it. Phone.”
How threat actors can make money using compromised sites and SmartLinks
The new findings bare the size of multinational criminal enterprises including numerous traffic distribution services (TDSES), including numerous traffic distribution services (TDSES), including extensive traffic distribution services (TDSES), since 2015, fraudulently through ad networks since 2015, and manage the management of payment processors such as email verification tools such as Pay Salsa and DataSNAP.
“Vextrio and its partners have been successful in part because their business is obfuscated,” the company said. “But the majority of their success is because they know that they are stuck in fraud and therefore have less risk of consequences.”
Vextrio is known to run what is called commercial affiliate networks and acts as an intermediary between, for example, malware distributors who have compromised a collection of WordPress websites with malicious injections and malware distributors who have compromised a collection of threat acters who have promoted various fraudulent schemes.
TDS is rated as being created by a shell company called Adspro Group, and the key figures behind the organizations in Italy, Belarus and Russia have expanded operations in Bulgaria, Moldova, Romania, Estonia and the Czech Republic since at least 2004, and has been linked to more than 100 companies and brands in 2015.
“Russian organized crime groups began to start building empires in advertising technology around 2015,” Dr Renée Burton, VP of Infoblox Threat Intel told Hacker News. “Vextrio is an important group within this industry, but there are other groups. From dating scams to investment scams and information stealers, all sorts of cybercrimes use malicious Adtech and are barely noticed.”
But what’s noteworthy about threat actors is the control of both the publisher and advertising of affiliate networks through a vast network of intertwined companies such as Technology, Los Pollos, Taco Loco, and Adtrafico. In May 2024, Los Pollos said it had 200,000 affiliates and over 2 billion unique users each month.
More widely fraud is unfolded this way. Users who are legal but unsuspecting to land on infected sites will be routed through TD under Vextrio’s control, leading users to fraudulent landing pages. This is achieved by SmartLink, which runs through the final landing page and hinders analysis.
Both Los Pollos and Adtrafico are cost-per-action (CPA) networks that allow public affiliates to earn fees when site visitors perform their intended actions. This may allow you to accept notices on the website, provide personal information, download apps, or provide credit card information.
They are also known to be the leading spam distributor reaching out to millions of potential victims.[.]Breaks and Mailgun (” Mailgun[.](Enjoyed) to promote service.
Another important aspect is to use cloaking services like Imkuro to hide real domains, evaluate criteria such as user location, device type, browser, etc., and determine the exact nature of content being delivered.
“The security industry, and most of the world, are now more focused on malware,” Burton said. “In a way, this is a victim’s criticism, and I believe that those who fall into fraud somehow deserve more of a fraud.”
“So stealing credit card information through malware is somehow “bad” than being invited to give up, even if you want a stupid stroke of keys like the current fake Captcha/Clickfix attack. Cybersecurity education and greater awareness to treat fraud of the same severity as malware is a malicious way of doing things.
Source link
