Editor's take: In theory, VPN services and applications are meant to offer customers enhanced privacy and data security online. In practice, however, an alarmingly high number of VPNs fail to deliver on those promises – and some should be avoided like the plague or, worse, treated as legitimate malware threats.
Researchers participating in the Free and Open Communications on the Internet (FOCI) initiative have published a new report exposing the risks behind supposedly "secure" VPN apps for Android. The document reveals hidden connections between these apps, which appear to originate from the same Chinese corporation. Not only are the apps insecure, they also pose a serious threat to users' online privacy.
The FOCI team analyzed numerous free VPN apps widely available on Android. These apps are extremely popular, collectively surpassing 700 million downloads on Google Play. To uncover their origins and practices, researchers gathered data from multiple sources, including provider websites, Google Play listings, business filings, and social media posts.
Insecure Android VPNs
| Family | Provider Name | VPN Name | # Downloads |
|---|---|---|---|
| A | Innovative Connecting | Turbo VPN | 100,000,000+ |
| Innovative Connecting | Turbo VPN Lite | 50,000,000+ | |
| Innovative Connecting | VPN Monster | 10,000,000+ | |
| Lemon Clove | VPN Proxy Master | 100,000,000+ | |
| Lemon Clove | VPN Proxy Master - Lite | 10,000,000+ | |
| Autumn Breeze | Snap VPN | 50,000,000+ | |
| Autumn Breeze | Robot VPN | 10,000,000+ | |
| Autumn Breeze | SuperNet VPN | 1,000,000+ | |
| B | MATRIX MOBILE PTE LTD | Global VPN | 10,000,000+ |
| MATRIX MOBILE PTE LTD | XY VPN | 100,000,000+ | |
| Super Z VPN (Privacy & Proxy) | Super Z VPN | 10,000,000+ | |
| The Tool Tech | Touch VPN-Stable & Secure | 50,000,000+ | |
| Fruit Security Studios | VPN ProMaster-Secure your net | 50,000,000+ | |
| Fruit Security Studios | 3X VPN - Smooth Browsing | 100,000,000+ | |
| WILDLOOK TECH PTE. LTD. | VPN Inf | 10,000,000+ | |
| WILDLOOK TECH PTE. LTD. | Melon VPN - Secure Proxy VPN | 50,000,000+ | |
| C | FreeConnectedLimited | X-VPN | 50,000,000+ |
| Fast Potato ptd ltd | Fast Potato VPN | 10,000,000+ | |
| Other | Mizcon LLC | Tetra VPN | 1,000,000+ |
| Super VPN Inc | VPN - Super Unlimited Proxy | 100,000,000+ | |
| Secure Signal Inc | Secure VPN Safer Internet | 100,000,000+ |
The analysis focused on shared characteristics such as security flaws, coding patterns, and other hidden technical properties. The findings were alarming: nearly all of the apps fell into three ostensibly distinct VPN product groups that shared strikingly similar traits. Even more concerning, all these "different" providers were ultimately owned by the same controversial Chinese security company – Qihoo 360.
According to the report, the eight apps in Group A share almost identical Java code, libraries, and assets. They support both the IPsec and Shadowsocks protocols and exhibit the same security flaws including location tracking, weak encryption, and hard-coded Shadowsocks passwords. These passwords could potentially be abused by Chinese authorities to intercept all internet traffic routed through the apps.
Apps in Group B only support the Shadowsocks protocol and also rely on the same hard-coded passwords to connect to Shadowsocks servers. Finally, Group C includes apps that use a custom tunneling protocol, with source code described as "structurally and functionally similar." These apps further employ code obfuscation and other countermeasures intended to resist reverse engineering.
The researchers warn that VPN apps covertly recording user location violate both user trust and privacy – ironically, the very protections VPNs claim to provide. Similarly, using shared hard-coded passwords is a severe security vulnerability that essentially nullifies any perceived privacy or security benefits.
The report does not speculate heavily on Qihoo 360's motives for concealing ownership of so many free VPN apps, an approach that likely helped boost downloads while avoiding reputational risks. The company, which has well-documented ties to Beijing's communist regime, may have pursued this strategy to minimize costs and maintain deniability.
"Ownership transparency in the VPN ecosystem allows users to make informed decisions about who they trust with their data," the report states.
Massively popular Android VPN apps are insecure, all secretly tied to one Chinese company
