New research has exposed a troubling reality about some of the world’s most downloaded VPN applications.
This study from Citizen Lab reveals that multiple VPN providers are secretly controlled by single entities and share dangerous security flaws.
The investigation analyzed apps from Google Play Store and identified three families of VPNs operated by the same companies.
The largest group includes Innovative Connecting, Autumn Breeze, and Lemon Clove, which together have over 700 million downloads.
Apps Connected to Sanctioned Chinese Firm
These companies distribute popular applications including Turbo VPN, VPN Monster, and Snap VPN. All three are linked to a Chinese cybersecurity firm sanctioned by the U.S. government for alleged connections to the People’s Liberation Army.
This discovery aligns with previous reporting that highlighted national security concerns about these same applications potentially transferring American user data to China.
Turbo VPN App in Google Play
Serious Security Vulnerabilities Discovered
The research uncovered multiple critical security issues across these VPN families. Many applications use Shadowsocks technology, originally designed to bypass Chinese internet censorship rather than provide true privacy protection.
Most concerning is the discovery that two VPN families use identical, hard-coded passwords built permanently into their applications. This means every user shares the same secret key, allowing anyone who discovers this password to decrypt all user traffic.
Researchers successfully used these shared passwords to confirm that different-looking VPN services actually operate on identical servers. This practice makes private user information visible to potential eavesdroppers and hackers.
Image from Citizen Lab Report
Data Collection Despite Privacy Promises
The study also found that several applications collect user location data and send it to remote servers, despite privacy policies claiming otherwise.
These apps employ outdated encryption methods that make them easier targets for cyber attacks.
When one application in a family contains vulnerabilities, all related apps share those same security weaknesses. This puts millions of users at risk without their knowledge.
Final Thoughts
This research reinforces why TROYPOINT never recommends free VPN services.
These applications must generate revenue somehow, and that typically means compromising user privacy and security. Free VPNs always come with hidden costs to your personal data!
Instead of risking your privacy with questionable free services, invest in a reputable paid VPN provider like Surfshark.
Quality VPN protection requires proper infrastructure and security practices that free services simply cannot provide while maintaining their business model.
For more information on this story refer to the report from Citizen Lab and the article from Hackread.
We want to know your thoughts. What do you think about this story? Let us know in the comment section below!
🛑 DON’T SLEEP ON THIS
Surfshark VPN Exclusive Discount
Your online activity is monitored by your ISP, app/addon/IPTV devs, government, and all websites.
🔒 Become anonymous while streaming & downloading with Surfshark VPN
Save 87% with 24-Month Plan + Get 3 FREE Months
Use on Unlimited Devices & Share 1 Account with Entire Family
CLAIM DEAL HERE
Be sure to stay up-to-date with the latest streaming news, reviews, tips, and more by following the TROYPOINT Advisor with updates weekly.
This page includes affiliate links where TROYPOINT may receive a commission at no extra cost to you. Many times, visitors will receive a discount due to the special arrangements made for our fans. Learn more on my Affiliate Disclaimer page.
