Millions of Android VPN Users at Risk from Insecure Apps
▼ Summary
– Three families of Android VPN apps with over 700 million downloads are secretly linked, as discovered by researchers from Arizona State University and Citizen Lab.
– These apps share code, security flaws, and backend infrastructure, including weak encryption and hard-coded passwords that risk user traffic decryption.
– Several apps collect location data despite privacy policies stating otherwise, violating user trust and privacy.
– The providers appear to be owned by a Chinese company, Qihoo 360, which has hidden this connection from users, raising concerns about data sharing with the government.
– These security weaknesses and undisclosed ownership nullify the privacy and security guarantees that the VPN providers claim to offer.
A major security investigation has uncovered that millions of Android VPN users may be at serious risk due to insecure applications secretly controlled by the same entities. Researchers from Arizona State University and Citizen Lab identified three distinct families of VPN apps with over 700 million downloads on the Google Play Store, all sharing critical security flaws and concealed ownership ties.
The study revealed that these apps, while marketed as privacy-enhancing tools, actually collect location data without permission, use weak or outdated encryption methods, and embed hard-coded passwords that could allow attackers to decrypt user traffic. These vulnerabilities fundamentally undermine the privacy protections that VPN services promise to deliver.
One group of eight apps, offered by three different providers, was found to share nearly identical code, libraries, and security weaknesses. Each app gathered location-related information despite privacy policies explicitly stating otherwise. They also relied on deprecated encryption standards and used static Shadowsocks passwords that work across multiple applications and servers, indicating shared backend infrastructure.
A second cluster of eight apps, supposedly developed by five separate companies, exclusively used the Shadowsocks protocol and connected to the same service using identical hard-coded credentials. Researchers confirmed that every server in this group was hosted by a single company, GlobalTeleHost Corp.
A third pair of apps used a custom tunneling protocol with structurally similar source code and identical anti-reverse engineering techniques. These were found vulnerable to connection inference attacks, allowing eavesdroppers to identify who a user is communicating with through the VPN.
Perhaps most alarming is the evidence suggesting that all these providers are secretly linked to Qihoo 360, a Chinese firm with reported connections to the country’s military. The companies appear to have deliberately obscured their ownership, potentially to avoid reputational damage or to simplify management while maintaining a facade of market competition.
This is not the first time such concerns have emerged. Earlier this year, the Tech Transparency Project identified multiple VPN apps in Apple’s App Store with hidden ties to China-based entities. Given China’s stringent data laws, which can compel companies to share user information with the government, the risks are significantly heightened.
These findings highlight a troubling reality: users entrusting their data to these services may be exposing themselves to surveillance, data interception, and unauthorized access. The very tools marketed to protect privacy are, in some cases, doing the opposite.
(Source: NewsAPI Cybersecurity & Enterprise)
