VPN applications for Android, widely utilized by millions of users, are secretly maintaining connections and are vulnerable to security issues.

A recent study by researchers from Arizona State University and Citizen Lab has revealed that three families of Android VPN apps, collectively boasting over 700 million downloads on Google Play, are secretly interconnected. Virtual Private Networks (VPNs) are often promoted as tools for enhancing user privacy and securing internet traffic. However, the consumer VPN landscape is notably opaque, making it challenging for users to make informed decisions regarding their online security. Researchers Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah R. Crandall conducted an extensive analysis of various Android VPN apps, uncovering hidden affiliations among providers who deliberately obscure their ownership. They gathered data from multiple sources, including websites, Google Play pages, and social media, and performed both static and dynamic analyses of the apps’ APKs.

The researchers identified three distinct families of VPN providers. Group A consists of eight apps from three providers that share nearly identical Java code, libraries, and assets. These apps exhibit significant security flaws, such as collecting location data contrary to their privacy policies, employing weak encryption, and containing hard-coded Shadowsocks passwords that could be exploited by attackers. Group B includes eight apps from five providers that exclusively support the Shadowsocks protocol and share similar security vulnerabilities, with all servers hosted by GlobalTeleHost Corp. Lastly, Group C comprises two providers, each offering a single mobile VPN app that utilises a custom tunnelling protocol and exhibits similar source code and security weaknesses. The findings highlight critical privacy concerns for users, particularly regarding undisclosed location data collection practices.