Redazione RHC : 22 August 2025 08:02
Citizen Lab analysts have reported that more than 20 VPN apps on the Google Play Store have serious security issues that threaten users’ privacy and allow the decryption of transmitted data. In total, these apps have been downloaded 972 million times.
Experts say the VPN providers distributing problematic apps are clearly linked to each other, although they claim to be separate companies and use various methods to hide the truth.
The Citizen Lab report is based Based on previous research that found links between three VPN providers allegedly based in Singapore: Innovative Connecting, Autumn Breeze, and Lemon Clove. All of these companies had previously been linked to a Chinese national, and researchers have now found further overlap between the apps, as well as links to other VPN apps and their developers.
According to the report, eight VPN apps created by Innovative Connecting, Autumn Breeze, and Lemon Clove share common code, dependencies, and hard-coded passwords, potentially allowing attackers to decrypt all user traffic. Together, these apps have more than 330 million installs on the Google Play Store.
All three companies, previously linked to Qihoo 360 (a Chinese cybersecurity firm sanctioned by the United States in 2020), offer VPN services and rely on the Shadowsocks protocol, originally designed to circumvent the Great Firewall of China.
The researchers note that the protocol uses symmetric encryption and is vulnerable to various attacks due to the use of outdated ciphers and hard-coded passwords. Furthermore, its interaction with the operating system’s connection tracking system allows attackers to take control of victims’ connections.
Eight applications (Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master – Lite, Snap VPN, Robot VPN, and SuperNet VPN) support IPsec and Shadowsocks protocols, have significant code overlaps, and use various mechanisms for anti-analysis and bypassing automatic security controls.
All of the apps examined by the researchers were vulnerable to connection tampering and packet injection attacks. All secretly collect user location information, use weak encryption, and contain the same hard-coded password for Shadowsocks configuration.
Using this password, Citizen Lab discovered that all three VPN providers offering these apps use the same infrastructure, further confirming their connection.
Note that another group of providers (Matrix Mobile PTE LTD, ForeRaya Technology Limited, Wildlook Tech PTE LTD, Hong Kong Silence Technology Limited, and Yolo Mobile Technology Limited) could be associated with the aforementioned trio, given their use of identical protocols, similar code, and obfuscation.
It was discovered that their VPN solutions, Downloaded more than 380 million times, they are vulnerable to connection tampering attacks, contain obfuscated passwords, and connect to the same set of IP addresses.
Two other providers, Fast Potato Pte. Ltd and Free Connected Limited, offer VPN clients that rely on the same proprietary protocol implementation.
According to Citizen Lab, the security and privacy issues identified in the studied apps impact users differently. For example, they could violate trust and privacy by surreptitiously collecting location data and could expose people to the risk of interception and traffic modification.
Redazione