- A new study has found hidden links between 21 VPNs among the most downloaded VPN apps on the Google Play Store
- The VPN apps share security issues that could put users at risk
- Some of these apps have also been found to have undisclosed ties with Russia and China
Researchers have uncovered hidden connections between nearly two dozen seemingly independent VPN apps, raising questions about transparency and trust.
The new academic study reveals three families of VPN clients that share codebases and infrastructure, despite appearing unrelated in app stores.
Findings point to shared security flaws across the virtual private network (VPN) apps, which have combined downloads of over 700 million.
This lack of disclosure from 21 of the 100 most downloaded VPN apps in the Google Play Store is giving consumers a false sense of choice when downloading what they believe are competing VPN services.
The findings muddy a VPN marketplace in which users rely on providers to be transparent about their ownership and operations to make an informed decision about which is the best VPN to trust with their data.
The paper, Hidden Links: Analyzing Secret Families of VPN Apps, selected the 100 most downloaded VPN apps on Google Play Store, narrowing them down to 50, some of which have already been found to have ties with Russia and China.
The authors, Benjamin Mixon-Baca (ASU/Breakpointing Bad), Jeffrey Knockel (Citizen Lab/Bowdoin College), and Jedidiah R. Crandall (Arizona State University), combined information from business filings and Android APKs to identify links between providers.
Three families of VPN providers were identified:
- Family A, consisting of Innovative Connecting, Autumn Breeze, and Lemon Clove, was found to be collectively responsible for eight VPN apps. This includes Turbo VPN, VPN Proxy Master, and Snap VPN, all sharing nearly identical code, libraries, and assets.
- Family B, made up of Matrix Mobile, ForeRaya Technology, and Wildlook Tech, among others, is responsible for VPNs, including XY VPN, 3X VPN, and Melon VPN. The VPNs were linked through their use of the same protocols and obfuscation, and the sharing of VPN IP addresses.
- Family C, which consists of Fast Potato and Free Connected Limited, is behind Fast Potato VPN and X-VPN, and shares the same proprietary protocol implementation and obfuscation.
The research discovered several vulnerabilities that put user security and privacy at risk. Specifically, apps contained hard-coded Shadowsocks credentials embedded in their APKs. With the same password reused widely, attackers who extract these can decrypt user traffic.
Researchers identified several apps using outdated or insecure ciphers for Shadowsocks without proper IV protection. For the less techie out there, this significantly reduces the effectiveness of encryption, opening the door to decryption or other cryptographic attacks.
All three families of VPN apps were also found to be vulnerable to blind on-path attacks. This occurs when an attacker on the same network – such as public wifi – infers information about active connections, even with VPN tunnelling in place.
App stores aren’t properly vetting VPNs
The study emphasizes the limitations of app store verification systems, which focus on malware detection and privacy violations, but don’t verify who is behind a VPN’s software or how it’s built.
Despite the three VPN families identified in the study accounting for more than 700 million downloads, the Google Play Store treated each app as an independent product. Google failed to catch coordinated attempts to conceal overlapping ownership and shared security flaws.
The researchers acknowledge the challenge app stores face in vetting developers and identifying vulnerable software, suggesting the security audit badge for VPN apps be made mandatory, and raising the idea of an identity verification badge for developers.
Without stricter app verification measures, the same vulnerabilities uncovered in the study will continue to spread unchecked, putting VPN users at risk.
English (US) ·