Fake CAPTCHA Bots & Malicious Apps – VexTrio’s New Tactics Hit Google Play and App Store Users

Cybersecurity researchers have uncovered an extensive malicious app operation by VexTrio. This cybercriminal organization has infiltrated major app stores with fake security tools, dating apps, and VPN services that have collectively garnered millions of downloads.

class="wp-block-heading" id="million-download-scam-apps-masquerade-as-legitimat">Million-Download Scam Apps Masquerade as Legitimate Services

VexTrio has released malicious applications under multiple developer names, including HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media, successfully bypassing app store security measures.

Dating apps like Hugmi and Cheri have each accumulated over one million downloads on Google Play despite user reviews revealing their fraudulent nature.

The organization’s “Spam Shield” app, marketed as a spam blocker for push notifications, exemplifies its deceptive tactics. While claiming to eliminate threats, the app merely disables browser notifications and displays fake monitoring interfaces showing blocked spam.

After a 24-hour trial period, users are forced into expensive subscription plans costing $6.99 monthly.

Technical analysis reveals that VexTrio’s VPN applications function as residential proxies rather than legitimate privacy tools, raising significant security concerns.

DNS records show these apps sharing infrastructure with VexTrio’s core operations, with IP address 136.243.216.249 simultaneously hosting HolaCode, AdsPro Digital, Los Pollos, and multiple scam applications.

Infrastructure Links Reveal Coordinated Criminal Enterprise

Researchers discovered that VexTrio’s applications contain deliberate naming confusion tactics, such as using the app ID “com.vpn.proxy.secure.wifi.turbovpn” to mislead users into believing their fake VPN is associated with the legitimate Turbo VPN service.

The apps’ terms and conditions frequently reference unrelated services, indicating rushed development and deployment processes.

The criminal organization operates through shell companies registered in Prague, including Techintrade s.r.o. and OILIMPEX s.r.o., which produce nearly identical scam applications with shared codebases.

DNS evidence shows domains like vm-oilimpex.holacode.tech and vm-technitrade.holacode.tech resolving to dedicated VexTrio IP addresses.

Trademark Infringement and Celebrity Exploitation

VexTrio’s operations extend beyond app stores to include widespread trademark infringement, appropriating brands of celebrities like MrBeast, Donald Trump, and Elon Musk for cryptocurrency scams.

Their fake CAPTCHA robot images have appeared in numerous fraud reports over several years, serving as a recognizable signature of their operations.

The apps typically force users to watch incessant advertisements, bind them into difficult-to-cancel subscription contracts, and harvest personal information, including email addresses.

Security researchers warn that VexTrio’s ability to operate for over 15 years without significant legal consequences demonstrates critical gaps in current cybercrime enforcement.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Fake CAPTCHA Bots & Malicious Apps – VexTrio’s New Tactics Hit Google Play and App Store Users appeared first on Cyber Security News.