Some of the most-downloaded Android VPN apps are exposing users to surveillance and quietly obscuring who runs them, according to new academic research that links multiple brands to the same operators and to companies in China. The study details encryption failures that let snoops read traffic, undisclosed data collection, and shell-company tactics that hide true ownership across apps with a combined 700 million-plus installs.
What the researchers found
In a report titled “Hidden Links: Analyzing Secret Families of VPN Apps,” investigators from the University of Toronto’s Citizen Lab and Arizona State University examined the 100 most-downloaded mobile VPNs and dug into those not based in the U.S. They cross-referenced app code, shared libraries, developer certificates, server infrastructure, business filings, and web domains to map relationships that aren’t visible on a Google Play listing.
The analysis clustered the apps into three “families” that share code and infrastructure. The researchers say some providers appear to be centrally owned and operated by a Chinese company despite public-facing brands and corporate registrations designed to suggest otherwise.
Hard-coded keys and weak ciphers
In one group tied to providers including Innovative Connecting, Autumn Breeze, and Lemon Clove, the team found a critical error: a hard-coded password used with the Shadowsocks protocol. Because every client used the same secret, any on-path observer could decrypt traffic between the app and its server—defeating the core promise of a VPN.
A second cluster, responsible for apps such as Global VPN, XY VPN, and Super Z VPN, reused the same servers and similarly embedded credentials in code. The research also flagged deprecated cryptography in some implementations and warned that Shadowsocks—originally built to bypass censorship—shouldn’t be treated as an anonymity or privacy tool.
A third group behind apps including Fast Potato VPN and X-VPN showed additional network weaknesses, such as susceptibility to blind on-path attacks. On shared Wi‑Fi, that opens the door to traffic manipulation, not just passive eavesdropping.
The investigators also observed behavior that contradicts marketing claims: several apps queried a geo‑IP service for the user’s IP-based ZIP code and uploaded it to provider servers. That kind of location tagging is at odds with “no logs” positioning and expands the risk if data are ever shared or breached.
Opaque ownership and China links
The Tech Transparency Project has previously connected some of the named providers to Qihoo 360, a large Chinese cybersecurity firm that has faced U.S. sanctions over ties to the People’s Liberation Army. The new research echoes those findings, arguing that multiple app “brands” mask common control, shared codebases, and co-located infrastructure.
Why split one operation into many VPNs? It widens search visibility, lowers engineering costs through code reuse, and isolates reputational fallout—if one brand is called out, others keep converting users. For consumers, the risk is straightforward: the operator that controls the servers controls the traffic. When that control is paired with weak encryption and undisclosed data collection, privacy promises collapse.
Google Play’s oversight problem
All of the flagged apps were available via the Google Play Store. The researchers note that uncovering cross-app relationships—matching SDK fingerprints, server IP clusters, TLS certificates, and shell-company paperwork—is labor-intensive and not easily automated at scale, which helps such networks persist.
Security experts argue the storefront can do more. Practical steps include scanning for hard-coded secrets, clustering apps by shared backend infrastructure, flagging recycled privacy policies, and requiring independent audits for “no-logs” claims. Clear, verified developer identity disclosures would also make it harder to hide ownership behind layers of affiliates.
What users can do now
Treat mobile VPNs as high-trust software. Prefer providers with recent third-party audits from reputable firms such as Cure53 or NCC Group, and look for open-source clients and transparent leadership. Modern protocols like WireGuard or IKEv2/IPsec are stronger choices for privacy than Shadowsocks.
Scrutinize app listings for telltale signs: generic publisher names, identical screenshots across “different” brands, copy‑paste privacy policies, and the same server lists. Check permissions, insist on a kill switch, and test for DNS and WebRTC leaks using well-known tools. If an app is free, assume your data is the product until proven otherwise.
Consumer watchdogs and digital rights groups have repeatedly warned that VPN trust hinges on accountability. Academic labs can uncover flaws, but without store-level enforcement and verifiable transparency from providers, users remain exposed.
The bottom line
The evidence is clear: several popular Android VPNs leak data, rely on weak or misapplied encryption, and obscure links to China through a web of brands. Until app stores demand stronger proof and developers submit to independent verification, the safest path is informed skepticism and careful selection—not blind trust in the top result.