A new peer-reviewed study has uncovered that a significant number of the most popular VPN apps on the Google Play Store are secretly connected, forming three large families while presenting themselves as independent services. The research, which did not include any of the major reputable VPN providers, focused on apps with a massive collective download count of 700 million on Android.
Published in the journal of the Privacy Enhancing Technologies Symposium, the study reveals that these VPNs not only failed to disclose their behind-the-scenes relationships but also operated on shared infrastructures riddled with serious security vulnerabilities. Well-known apps like Turbo VPN, VPN Proxy Master, and X-VPN were found to be susceptible to attacks that could expose a user’s private browsing history and allow for data injection.
The paper, titled Hidden Links: Analyzing Secret Families of VPN apps, was inspired by prior investigations into VPN ownership. Researchers set out to systematically document the connections between these secretly co-owned services. They began with the list of top-downloaded VPNs on Android and compiled data from business records, websites, and app code to find links. By identifying suspicious similarities in the code, they grouped 18 apps into three distinct families.
Family A includes Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master Lite, Snap VPN, Robot VPN, and SuperNet VPN. These apps are shared between three providers known as Innovative Connecting, Lemon Clove, and Autumn Breeze. All three of these entities have been linked to Qihoo 360, a firm based in mainland China that has been identified by the US Department of Defense as a Chinese military company.
Family B consists of Global VPN, XY VPN, Super Z VPN, Touch VPN, VPN ProMaster, 3X VPN, VPN Inf, and Melon VPN. These eight services, operated by five different providers, were found to all use the same IP addresses from the same hosting company, indicating a shared backend infrastructure.
Family C is made up of just two apps, X-VPN and Fast Potato VPN. Despite coming from different providers, the researchers discovered that both used nearly identical code and included the same custom VPN protocol, strongly suggesting a common origin.
For users, this study highlights two critical problems. The first is a severe breach of trust. Companies entrusted with users most private online activities and personal data are not being transparent about their ownership, their base of operations, or who they might be sharing information with. Honesty is a fundamental requirement for any service handling sensitive data.
The second, more immediate problem is that the apps themselves are fundamentally insecure. All 18 VPNs across the three families use the Shadowsocks protocol with a hard-coded password. This implementation makes them vulnerable to takeover from the server side, which could be used to deliver malware, and from the client side, which could allow a malicious actor to eavesdrop on a user’s web activity.
Ultimately, a dishonest provider and a poorly built app are symptoms of the same issue: these services are not designed with user safety as a priority. Their presentation as unrelated products also demonstrates that app stores cannot be relied upon as an effective line of defense. This research makes it more imperative than ever to avoid downloading a free VPN without thorough vetting. The safest free options are those supported by reputable paid subscription services, which have a transparent business model and a vested interest in protecting their users’ privacy.