Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Three VPN families analyzed, linking 18 apps to parent groups.
- Security issues found, including hard-coded Shadowsocks keys.
- Study shows many free VPNs may have shady security practices.
A new academic study has revealed suspicious origins and security vulnerabilities in apps collectively downloaded from the Google Play Store over 700 million times.
When you choose a Virtual Private Network (VPN) service, it is imperative that you pick one with a solid reputation and high security standards. It’s important that robust encryption is in place and the VPN provider is known for protecting its users, quickly patching security issues, and being transparent about where it comes from and how it handles user data.
Also: Best VPN services 2025: The best VPNs for rapid speeds and streaming
Unfortunately, not every VPN service commits to these principles, and this isn’t always clear to consumers, as highlighted in a new study published as part of the Privacy Enhancing Technologies Symposium (PETS). Co-authored by Benjamin Mixon-Baca, Jeffrey Knockel (from Citizen Lab), and Jedidiah R. Crandall, the academic paper, titled Hidden Links: Analyzing Secret Families of VPN Apps (.PDF), explores three families of VPNs, narrowed down from the top 100 VPNs available in the Google Play Store.
‘Nearly identical’ Java code
Despite many of them marketing themselves as independent VPNs, the three families, as listed below, have markers that indicate the same origins or parent companies:
- Family A – Providers: Innovative Connecting, Lemon Clove, Autumn Breeze | VPNs include: Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master — Lite, Snap VPN, Robot VPN, SuperNet VPN
- Family B – Providers: MATRIX MOBILE PTE LTD, Super Z VPN, The Tool Tech, Fruit Security Studios, WILDLOOK TECH PTE. LTD. | VPNs include: Global VPN, XY VPN, Super Z VPN, Touch VPN — Stable & Secure, VPN ProMaster, 3X VPN, VPN Inf, Melon VPN
- Family C – Providers: FreeConnectedLimited, Fast Potato | VPNs include: X-VPN, Fast Potato VPN
In Family A, each VPN app contained “nearly identical” Java code, shared libraries, assets, and infrastructure. Family B — some of whose apps reference Family A’s Innovative Connecting in their privacy policies — shares VPN IP addresses. Family C’s VPNs share similar code, the same obfuscation, and “a shared, proprietary protocol implementation.”
Also: How VPNs are helping people evade increased censorship – and much more
Among the security issues discovered in these apps were the use of hard-coded Shadowsocks passwords in their APKs, which the researchers note “allow an attacker to decrypt the traffic of these providers’ clients, compromising the security claimed by these providers.” Vulnerabilities to blind-side attacks, weak encryption, and weaknesses to connection inference attacks were also uncovered.
Even if some or all of these VPNs are legitimate, it can be considered a deceptive practice not to disclose links and shared infrastructure for seemingly independent apps.
The researchers note there may be reasons for trying to keep each brand separate, citing development and management costs. Still, the security problems revealed by the study are concerning.
Also: Why I still recommend NordVPN to most people in 2025 – especially with the latest update
“App stores like the Play Store are in a challenging position given the scalability limitations around vetting developers and identifying software with misleading security properties in their store,” the researchers say. “Google offers a security audit badge for VPN apps, but making such a badge mandatory for VPN apps and offering an identity verification badge for developers who go through an identity verification process might provide users additional information and protection.”
Little in life is truly free
If you use a free or unknown VPN, you have to keep in mind that VPN server infrastructure costs money to run, and so in most cases, you are trading something else in return for access.
Also: When you should use a VPN – and when you shouldn’t
Usually, free VPNs will collect, store, and share your data for targeted advertising purposes or otherwise, or they may bombard you with ads to generate revenue. As this research potentially indicates, free or “lite” VPNs may not be trustworthy and may have a litany of security problems, which can risk your personal privacy and data.
If you want to use a VPN to improve your privacy online, we have compiled a list of our favorite VPNs in 2025 — as well as a guide to the few trustworthy, free VPN services out there. Thankfully, none of our favorites — including NordVPN, ExpressVPN, Proton VPN, or Surfshark — were tied to this research.
Leave a Reply