A new research paper titled “Hidden Links: Analyzing Secret Families of VPN Apps” by Citizen Lab has shed light on the shadowy ownership and security flaws of several popular Virtual Private Network (VPN) providers. The paper, co-authored by Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah Crandall, reveals how certain VPN companies intentionally hide their true connections while sharing critical security vulnerabilities. This extensive study involved a deep analysis of apps available on the Google Play Store, examining code similarities, network communications, and business filings to expose these hidden links. The findings reveal a disturbing trend where multiple seemingly independent VPN services are actually operated by a small number of interconnected entities.
The research identified three primary families of VPNs that are secretly operated by the same parent entities. The most prominent group, with over 700 million downloads combined, includes providers like Innovative Connecting, Autumn Breeze, and Lemon Clove. These companies distribute widely-used apps such as Turbo VPN, VPN Monster, and Snap VPN. A significant and concerning link was found between these companies and Qihoo 360, a Chinese national security firm that has been sanctioned by the U.S. government. Furthermore, Turbo VPN and Snap VPN were previously cited in a June 2025 Tech Transparency Project report for similar national security concerns regarding the potential transfer of U.S. user data to China.
Further investigation revealed that these VPNs not only share ownership but also use outdated and unsafe technological practices. A key finding was the use of Shadowsocks, a technology originally designed to bypass internet censorship in China, not to ensure user privacy. The apps were also found to employ weak and outdated encryption methods, leaving user data vulnerable to interception. In a flagrant breach of user trust, some of the apps were even caught collecting and transmitting a user’s location data to a server, despite their privacy policies explicitly promising not to do so. These security lapses expose a clear disregard for user privacy and security in favor of other, potentially malicious, objectives.
One of the most critical and alarming discoveries of the report was that these apps share not just code but also dangerous security vulnerabilities. For instance, two of the identified families of VPN providers used a single, hard-coded password for their apps. A hard-coded password is a secret key that is permanently embedded into an app during its development. This means the same password is used for every single user of that app. This shared vulnerability allows anyone who discovers the password to decrypt the traffic of all users, making their private information visible to eavesdroppers. Researchers were able to use these shared passwords to confirm that seemingly distinct VPN services were, in fact, operating on the same servers.
In conclusion, the “Hidden Links” report serves as a stark warning to consumers about the risks of using popular, free VPN services without scrutiny. It exposes a deceptive network of VPN providers that prioritize commercial interests over user security and privacy. While the report highlights major security flaws in these families of VPNs, it also points out three other apps—from VPN Super Inc., Miczon LLC, and Secure Signal Inc.—that did not appear to have these hidden, dangerous links. This research underscores the importance of thorough vetting and due diligence when choosing a VPN service to protect one’s digital privacy.
Reference:
