A new report from the Free and Open Communications on the Internet (FOCI) initiative has exposed serious security and privacy risks in popular Android VPN apps, revealing that many are secretly connected to a single Chinese corporation. Despite marketing themselves as secure, these apps are not only vulnerable but may also compromise users’ online privacy.
The FOCI researchers analysed numerous free VPN apps on Android, collectively downloaded more than 700 million times on Google Play. Using data from provider websites, app listings, business filings and social media, the team investigated technical similarities, coding patterns and hidden properties. Their findings were alarming: nearly all the apps fell into three apparent product groups with strikingly similar traits, all ultimately owned by the controversial Chinese security company Qihoo 360.
In Group A, eight apps were found to share almost identical Java code, libraries and assets. Supporting IPsec and Shadowsocks protocols, these apps displayed consistent security flaws, including location tracking, weak encryption, and hard-coded Shadowsocks passwords. These passwords could potentially be exploited to intercept internet traffic.
Group B apps relied solely on the Shadowsocks protocol, using the same hard-coded passwords to connect to servers. Group C included apps using a custom tunneling protocol, with source code described as “structurally and functionally similar” to the other groups. These apps also employed code obfuscation and other techniques to prevent reverse engineering.
Researchers warn that VPN apps recording user location without consent breach both trust and privacy, undermining the core purpose of VPNs. The use of shared, hard-coded passwords constitutes a critical security vulnerability, effectively nullifying any claimed privacy or security benefits.
The report does not speculate extensively on Qihoo 360’s motives for concealing ownership of multiple free VPN apps. Such a strategy may have boosted downloads while avoiding reputational damage. With the company’s well-documented ties to Beijing’s government, the approach also allowed for cost minimisation and plausible deniability.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
