Researchers Uncover Concealed Links and Weaknesses in Widely Used VPN Applications

Uncategorized Mihnea


A recent investigation has uncovered that more than 20 VPN applications on the Google Play Store are utilizing the same codebases and infrastructure, even though they present themselves as separate services. These applications constitute 20 of the 100 most-downloaded VPNs on the platform, amassing an impressive 700 million users.

The results prompt crucial concerns regarding trust and transparency in a sector focused on privacy and highlight the insufficient vetting of VPN providers by app marketplaces.

The study, carried out by The Citizen Lab at the University of Toronto, linked these applications to only three VPN families, with some associations traced back to Russia and China. Investigators employed business records and forensic analysis of Android APKs to reveal these concealed connections.

Family A was affiliated with Innovative Connecting, Autumn Breeze, and Lemon Clove, including notable players such as Turbo VPN, VPN Proxy Master, and Snap VPN, all utilizing identical code and resources. Family B, connected to Matrix Mobile, ForeRaya Technology, and Wildlook Tech, operated XY VPN, 3X VPN, and Melon VPN, which shared the same VPN addresses. Family C, consisting of Fast Potato and Free Connected Limited, oversaw Fast Potato VPN and X-VPN.

In addition to the absence of transparency, the study pointed out significant security vulnerabilities. Some applications reused login credentials for ShadowSocks, a tool designed for bypassing firewalls. Others depended on outdated encryption protocols, amplifying user risk. Most alarming, all three VPN families were vulnerable to blind on-path attacks, enabling hackers on the same network, such as public Wi-Fi, to capture traffic undetected.

The researchers highlighted that app stores possess limited capabilities to confirm who operates a VPN or the foundation of its architecture, as their review mechanisms primarily target malware detection and privacy breaches. They proposed the implementation of a security audit badge for VPNs, a certification that could bolster user trust in their app selections.

The details of Google’s app review process remain ambiguous. As per a support document, developers are required to furnish a privacy policy, indicate whether the application includes advertisements, obtain a content rating, and disclose the app’s privacy and security practices to Google in order to successfully pass the review.

Google did not promptly respond to inquiries regarding its verification methods.