Researchers find secret ties and vulnerabilities in popular VPN apps
A new study has uncovered that more than 20 VPN apps on the Google Play Store share the same codebases and infrastructure, despite presenting themselves as independent services. Together, these apps account for 20 of the 100 most-downloaded VPNs on the platform, with a staggering 700 million users.
The findings raise serious questions about trust and transparency in an industry built on privacy — and highlight how poorly app stores may vet VPN providers.
The research, conducted by The Citizen Lab at the University of Toronto, traced these apps back to just three VPN families, some with ties to Russia and China. Investigators used business filings and forensic analysis of Android APKs to uncover the hidden connections.
You May Also Like
Family A was tied to Innovative Connecting, Autumn Breeze, and Lemon Clove, and included major players like Turbo VPN, VPN Proxy Master, and Snap VPN — all of which shared identical code and assets. Family B, linked to Matrix Mobile, ForeRaya Technology, and Wildlook Tech, operated XY VPN, 3X VPN, and Melon VPN, which used the same VPN addresses. Family C, made up of Fast Potato and Free Connected Limited, controlled Fast Potato VPN and X-VPN.
Beyond a lack of transparency, the study also found serious security flaws. Some apps reused login credentials for ShadowSocks, a tool for bypassing firewalls. Others relied on outdated encryption algorithms, leaving users more exposed. Most concerning of all, all three VPN families were vulnerable to blind on-path attacks — meaning hackers on the same network, such as public Wi-Fi, could intercept traffic without either party realizing it.
The researchers noted that app stores have limited ability to verify who operates a VPN or how it’s built, since their review systems are largely focused on malware detection and privacy violations. As a remedy, they suggested introducing a security audit badge for VPNs — a certification that could give users more confidence in the apps they choose.
The specifics of Google’s app review process remain unclear. According to a support page, developers must provide a privacy policy, disclose whether the app contains ads, obtain a content rating, and share the app’s privacy and security practices with Google in order to pass review.
In a statement to Mashable through email, a Google spokesperson said that the company is committed to "compliance with applicable sanctions and trade compliance laws."
"When we locate accounts that may violate these laws, our related policies or Terms of Service, we take appropriate action."
UPDATE: Sep. 2, 2025, 3:17 p.m. EDT This article has been updated to include a statement from Google.
Topics Apps & Software Cybersecurity Privacy
Chance Townsend is the General Assignments Editor at Mashable, covering tech, video games, dating apps, digital culture, and whatever else comes his way. He has a Master's in Journalism from the University of North Texas and is a proud orange cat father. His writing has also appeared in PC Mag and Mother Jones.
In his free time, he cooks, loves to sleep, and greatly enjoys Detroit sports. If you have any tips or want to talk shop about the Lions, you can reach out to him on Bluesky @offbrandchance.bsky.social or by email at [email protected].
