We’ve been tracking a cluster of RDGA‑generated domains involved in distributing fake app‑store landing pages. These domains are consistently registered through Namecheap and protected by Cloudflare, which the operators use to obscure origin infrastructure and rapidly cycle through fresh front‑end domains.

The sites impersonate Google Play or iTunes, based on their device’s user‑agent, presenting users with pages that look and feel legitimate. Instead of real apps, the pages deliver Progressive Web Applications (PWAs) that persist on the device and enable ongoing notification abuse.

PWAs are a chrome application which plays cross platform, windows, linux, android, iOS and gets added as an icon on the desktop ofevery device.

Once installed, the PWA triggers a redirection chain through one or more intermediary domains before sending users to online casinos, adult content, or other low‑quality destinations. Because many of these casinos operate from regions where online gambling is restricted or illegal, the operators continually replace the final‑stage domains. This use of RDGA and PWAs allows them to evade regional blocking, reputation systems, and automated detection controls by rotating infrastructure at scale and keeping their persistence to the user devices.

fwiw, most large scale gambling operations like these are not simply illegal in the regions they target... they are scams and often connected to other major crimes, including human trafficking.

play-megawin[.]site
play-icefish[.]website
play-richcasino[.]site
play-casinostaat[.]site
mountainvertex[.]shop
play-fdjfrance[.]site
play-lucky7[.]site
funterra[.]shop
hotcoins[.]site
stonefestal[.]shop
spirevanguard[.]shop
play-crowngreen[.]website
forestoutpost[.]shop

#threatintel #gambling #pwa #dns #fake #infoblox #threatresearch #malware #scam #fakeApp #googleplay #infobloxthreatintel #itunes

"Xed-Editor was updated to 3.1.0, and Git integration was moved to a standalone extension. The developer also warns users to only download the app from the official sources: F-Droid, IzzyOnDroid and the project Github, as somebody has put the app on Play without their approval. The same person/company has done the same for WhatSave unfortunately."

Source: https://f-droid.org/2025/05/22/twif.html

#xed #fdroid #android #playstore #fakeapp #psa #foss #opensource

VexTrio User Experience 5/N
 
So what next? Shall we do fake apps? 100% of these experiences come from starting with a compromised site and just allowing all notifications and permissions that are requested.  This one came from a notification that the phone needed to be cleaned and it recommended download the app Antivirus toolkit from the Google Play store. What could go wrong? There are over 1M downloads!  This scareware fake app was delivered via Monetizer; see the imgur link.
 
Then read the reviews. Like the other fake apps in this genre it doesn't do anything except show ads and gain access to your personal information. We'll share some of the other fake apps in a different post; some of them are quite giggle producing. But unfortunately, they work - people are scammed out of tons of money through these jerks.
 
Once installed, the app tells you that your browser is compromised, and you need to install a secure browser -- another one on the Google store with lots of downloads and seemingly good reviews. But finding the real reviews shows the same behavior… lots of ads and access to personal data.
 
I haven't tried to do any sandboxing or reverse engineering of these apps that the VexTrio affiliates are recommending; I'm just getting the full user experience.
 
In the meantime, the Antivirus Toolkit continues to push notifications including that is has instaled (sic) and uninstaled (sic) Chrome for me.

video of the virus app is here. only defanged as i maxed the image load for mastodon.
https://imgur[.]com/a/bxPEyhB
 
#dns #threatintel #fakeapp #scam #scareware #phishing #vextrio #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

7-Zip #FakeApp observed serving #NetSupportRat

https[:]//7zlp2024[.]shop

>>

0511file24.msix (b3a95ec7b1e7e73ba59d3e7005950784d2651fcd2b0e8f24fa665f89a7404a56)

MGJFFRT466
NSM301071

62.76.234[.]49:443

A fake password manager has been pulled from Apple's App Store. You and your team need to check you haven't downloaded 'LassPass' to your iPhone. If you have, delete it and change your passwords

#PasswordManager #Apple #FakeApp https://www.tomsguide.com/computing/password-managers/fake-lastpass-iphone-app-scam-what-you-need-to-know

12 applications Android à désinstaller d’urgence de votre smartphone.

Plusieurs applications malveillantes qui se trouvaient sur le Google Play ont été installées plus de 2 millions de fois sur des smartphones et des tablettes Android.

#android #smartphone #google #FakeApp #Joker #HiddenAds #shooter #playstore #antivirus

https://lsdm.live/modules/news/article.php?storyid=4585

FAKEAPP : le fake était (presque) parfait - HS - Monsieur Bidouille

https://video.monsieurbidouille.fr/w/jLjLkL2g6ueD5z3UwSLLbV