For years, millions of smartphone users have trusted free VPN apps to keep their browsing private. But new research shows that many of those apps may be doing the exact opposite. A peer-reviewed study published in Free and Open Communications on the Internet (FOCI 2025) has revealed that at least 18 of the most-downloaded VPNs on Android are not only secretly connected but also share serious, system-wide security flaws.
The apps in question are not obscure. Together, they have been downloaded over 700 million times from the Google Play Store. Well-known names like Turbo VPN, VPN Proxy Master, Snap VPN, XY VPN, and X-VPN all fall into this hidden web.
The study grouped these apps into three secret families. On the surface, they look like unrelated products from different developers, but code similarities, business filings, and even shared cryptographic credentials tell a different story.
- Family A includes Turbo VPN, VPN Proxy Master, VPN Monster, Snap VPN, and others. All are tied to Singapore-registered firms like Innovative Connecting, Autumn Breeze, and Lemon Clove — which have previously been linked to Chinese cybersecurity giant Qihoo 360, a company flagged by the US Department of Defense as a “Chinese military company.”
- Family B includes XY VPN, Super Z VPN, Global VPN, and Melon VPN. These apps come from five different listed providers, but all connect to the same hosting company and reuse the same passwords.
- Family C is smaller but no less concerning. It includes X-VPN and Fast Potato VPN, which rely on nearly identical code and even the same custom tunneling protocol.
The research shows these “independent” VPNs are essentially clones, repackaged to look different while feeding into the same infrastructure.
The bigger issue is not just hidden ownership, but also how these VPN apps handle encryption and user data. The study revealed that many of them rely on hard-coded passwords in the Shadowsocks protocol, which makes it possible for attackers to decrypt traffic and spy on user activity or even hijack connections. They also continue to use weak ciphers like RC4-MD5, which are long outdated and vulnerable to known attacks. On top of this, the researchers found undisclosed tracking practices. Some apps explicitly claimed in their privacy policies that they did not collect location data, yet they secretly fetched ZIP code-level details linked to users’ IP addresses and uploaded the information to remote servers. To make matters worse, the way these apps route traffic leaves them open to client-side attacks, meaning users can still be exposed even when they believe they are browsing through a secure connection.
In some cases, the flaws were so basic that the researchers could “freeload” on VPN services by reusing the apps’ credentials from a laptop. That means if researchers can do it, so can cybercriminals.
Now the primary question is, why would a single company split its users across so many different apps? Damage Control could be the reason. If one app gets bad press or is banned from app stores, the others continue to operate. It is a diversification strategy, not for user safety, but for business survival.
Repackaging also saves money. Instead of building unique apps with separate infrastructure, it is easier to copy code, tweak the branding, and release multiple products.
This research highlights a critical weakness in the app store ecosystem. Google Play treated these apps as distinct products despite their shared infrastructure and vulnerabilities. While Google offers a “security audit badge” for VPNs.ownership transparency is still murky.
For users, it is important to understand that a free VPN that hides its true owners is not protecting their privacy. In fact, it might be making you less safe than using no VPN at all.
