A recent investigation has revealed that more than 20 VPN applications available on the Google Play Store are not as independent as they claim. Despite presenting themselves as separate services, these apps share common codebases and infrastructure. Collectively, they represent 20 of the top 100 most-downloaded VPNs on the platform, reaching over 700 million users worldwide.

This discovery raises significant concerns about transparency and trust within the VPN industry, which is expected to be built on security and privacy. It also highlights the limited vetting processes of major app stores when it comes to VPN providers.

The research, conducted by The Citizen Lab at the University of Toronto, traced these apps back to just three VPN groups, some with connections to Russia and China. By analyzing Android APK files and corporate records, investigators uncovered the hidden ties among these providers.

The Three VPN Families

• Family A: Linked to Innovative Connecting, Autumn Breeze, and Lemon Clove, and includes well-known names such as Turbo VPN, VPN Proxy Master, and Snap VPN, all sharing the same code and resources.
• Family B: Connected to Matrix Mobile, ForeRaya Technology, and Wildlook Tech, operating services like XY VPN, 3X VPN, and Melon VPN, which even use identical VPN addresses.
• Family C: Comprised of Fast Potato and Free Connected Limited, responsible for apps like Fast Potato VPN and X-VPN.

Security Weaknesses Uncovered

Beyond ownership transparency, the study found troubling vulnerabilities. Some VPNs reused login credentials for ShadowSocks, a tool designed to bypass firewalls. Others depended on outdated encryption algorithms, putting user data at risk. Most concerning was the discovery that all three families were exposed to blind on-path attacks — allowing hackers on the same network, such as public Wi-Fi, to intercept traffic without detection.

Limited Oversight from App Stores

Researchers emphasized that app stores primarily focus on detecting malware and privacy policy violations, with little ability to validate the operational security or ownership structures of VPNs. As a solution, the report proposed the introduction of a security audit certification badge for VPN apps, which could help users identify trustworthy services.

Currently, Google’s app review process requires developers to disclose privacy policies, ad practices, security measures, and obtain content ratings. However, the full scope of their verification process remains unclear, and Google has not issued a statement regarding these findings.

Key Takeaway

While VPNs are marketed as tools to protect user privacy, this study shows that many services may not be as independent or secure as they claim. Users should exercise caution when choosing a VPN and look for greater transparency and verifiable security standards in the industry.

Source: https://mashable.com/article/researchers-find-secret-ties-vulnerabilities-in-popular-vpn-apps