Some of the most popular apps for the Android operating system that millions of people use on their smartphones and tablets to route their online activity will channel users through servers hosted in countries that are notorious for snooping on their citizens, researchers at the University of California, Berkeley, and an affiliated security firm say.
The researchers found that several of the top VPN apps available on the Google Play store will automatically connect people to servers in countries where governments have been known to snoop on users. The research outlines how encryption failures exposed psychiatric hotlines and the like, how undisclosed data collection can affect users of any app, and how the app operator’s previous shell companies can virtually hide a data element’s true owner when, together, those apps sell 700 million-plus installs.
What the researchers found
In a report called “Hidden Links: Exploring the Growth of the Secret App-Developing Ecosystem,” a group of investigators from the University of Toronto’s Citizen Lab and Arizona State University analyzed the 100 most-downloaded mobile VPNs and then looked into those from outside the U.S.
They cross-referenced app code, shared libraries, developer certificates, server infrastructure, business filings and web domains to map relationships that other players don’t reveal on a Google Play listing.
The apps were grouped into three “families” that share code and infrastructure, the analysis found. Some providers appear to be centrally owned and controlled by a Chinese company, the researchers say, despite public-facing brands and corporate registrations that would indicate otherwise.
Hard-coded keys, and weak ciphers
In one set associated with providers like Innovative Connecting, Autumn Breeze and Lemon Clove, the team discovered a “critical vulnerability” —a hard-coded password that was being utilized with the Shadowsocks protocol. Since every client knew the key, any on-path attacker could decrypt traffic between the app and its server—circumventing the fundamental promise of a VPN.
A second group, which controlled apps like Global VPN, XY VPN and Super Z VPN, recycled the same machines and also hardcoded credentials in their code. The research also identified outdated cryptography in some implementations and cautioned that Shadowsocks — which was created to circumvent censorship — shouldn’t be considered an anonymity or privacy tool.
The third group, which was responsible for apps like Fast Potato VPN and X-VPN, demonstrated additional network vulnerabilities, like vulnerability to blind off-path attacks. Under shared Wi‑Fi, that opens up the possibility of traffic tampering — not just passive eavesdropping.
The researchers also observed the behavior that opposed marketing claims: multiple apps that queried a geo‑IP service for the user’s ZIP code based on IP address and uploaded it to provider servers.3
That type of location tagging is antithetical to “no logs” claims and extends the risk once data is shared or compromised.
Opaque ownership and China ties
The Tech Transparency Project previously linked some of the named providers to Qihoo 360, a major Chinese cybersecurity firm that has come under U.S. sanctions for ties to the People’s Liberation Army. The new research corroborates those findings and contends that multiple app “brands” obscure common control, shared codebases and co-located infrastructure.
What’s the point of breaking one operation into multiple VPNs? It extends search visibility, reduces engineering costs by reusing code, and quarantines the reputational fallout — if one brand gets called out, at least the other ones keep getting to push buttons and call meetings. For consumers, the risk is simple: Whoeever runs the servers, runs the traffic. Combine that control with weak encryption and undisclosed data collection and privacy promises crumble.
Google Play’s oversight problem
All of the flagged apps were distributed through the Google Play Store. Discovering such relationships between apps is difficult and cannot be effectively automated at scale — an inconvenience that allows such networks to survive, the researchers say.
Security experts say the storefront can and should go further. Concrete actions involve scanning for hard-coded secrets, clustering apps by common back-end infrastructure, flagging re-cycled privacy policies, and insisting on third-party audits tied to “no-logs” claims. Clear disclosures of verified developer identity would also increase the difficulty of hiding ownership through layers of affiliates.
What you can do
Consider mobile VPNs as high-trust software. Also look for a provider that has recent third-party audits from well-known companies like Cure53 or NCC Group, open-source clients and transparent leadership. If you would like something more modern, I’m a big fan of WireGuard or IKEv2/IPsec – they are much safer for privacy than Shadowsocks.
Investigate the app store listing for clues: generic publisher names, screenshots that match across multiple “different” brands, copy‑pasted privacy policies, and identical server lists.
Inspect permissions, demand a kill switch, and test for DNS and WebRTC leaks with established tools. If an app is free, consider that your data is the product until you know otherwise.
Consumer watchdogs and digital rights groups have continued to raise alarm that the trust of VPNs depends on accountability. Academic labs can check for shortfalls, but without enforcement at the store level and verifiable transparency on the part of the provider, users are still vulnerable.
The bottom line
The clues are abundant: persistent leaks of personal data — inadequate encryption and a convoluted network of choices has allowed a virtual private network in Android — known as VPN — providers with Chinese links access user data and information. Until app stores start imposing more rigorous proof-of-concept living conditions and developers cave in to third-party sniff tests, the wisest course is informed skepticism and selective sampling — and not automatic reliance on the top hit.
