Concerns Over VPN Apps Linked to Chinese Ownership
Recent investigations by researchers at Arizona State University and Citizen Lab have unveiled a troubling connection between several popular Android VPN applications and entities based in mainland China and Hong Kong. These applications, which boast millions of downloads globally, have been found to share ownership and infrastructure, raising significant security concerns.
The researchers meticulously analyzed a range of VPN apps available on the Google Play Store, scrutinizing their download counts, Java code, and inherent security vulnerabilities. Their findings categorized the apps into three distinct families, each exhibiting alarming similarities in their security flaws. The first group of apps was particularly concerning, as they:
- Inexplicably collect location-related data, contradicting their stated privacy policies;
- Utilize outdated and weak encryption methods;
- Incorporate hard-coded Shadowsocks passwords, which, if compromised, could enable attackers to decrypt user traffic. This shared backend infrastructure among different apps highlights a significant security risk.
In a deeper dive, the researchers identified that a single company manages all VPN servers within the second group. Meanwhile, the third family of apps was found to be vulnerable to connection interference attacks, specifically through client-side blind in/on-path methods.
Of particular note is the revelation that these VPN providers are linked to Qihoo 360, a Chinese company that has made concerted efforts to obscure its ownership from its extensive user base, which exceeds 700 million. The Tech Transparency Project (TTP) has previously flagged Qihoo 360 as a potential national security threat in its report titled “Apple Offers Apps With Ties to Chinese Military.”
According to TTP’s investigation, millions of Americans have unknowingly downloaded apps that route their internet traffic through Chinese companies. Alarmingly, several of these applications have ties to Qihoo 360, which has been sanctioned due to its involvement with the Chinese military. The report highlights that one in five of the top 100 free VPNs in the U.S. App Store in 2024 were covertly owned by Chinese firms, which are legally bound to share user data with the Chinese government under national security laws.
Furthermore, TTP noted that some of these VPNs have targeted younger audiences through advertisements on platforms like Facebook and Instagram, aiming at teens as young as 13. This marketing strategy has raised eyebrows, especially as some ads have been directed at users seeking to maintain access to TikTok, another Chinese app facing scrutiny in the U.S.
As the researchers from Arizona State University and Citizen Lab delved into the apps associated with Qihoo 360—reportedly downloaded over 70 million times—they echoed the sentiments of TTP regarding the potential national security risks posed by these services. Qihoo 360’s placement on the Commerce Department’s Entity List and its designation as a ‘Chinese military company’ by the U.S. Department of Defense further underscore the gravity of the situation.
In light of these findings, users are urged to conduct thorough research on their VPN providers to ensure that they do not have affiliations with the Chinese Communist government, thereby safeguarding their personal data and online privacy.
