The benefits of using a VPN service to protect your privacy are clear: your ISP and other snoops won’t be able to spy on your online activity. What’s not always clear is which VPN service is trustworthy.
A VPN, or virtual private network, is software that creates a secure connection between your device and the Internet by routing your Internet traffic through an encrypted tunnel to a remote server. Basically, a VPN masks your IP address and helps keep some of your browsing activities private. Recently, three university researchers discovered that 18 of the most used VPNs on the Google Play store have shared infrastructure with serious security flaws that could expose customers’ browsing activity and leave it vulnerable to decryption. These VPNs are among the 100 most popular on the Google Play Store and have more than 700 million downloads.
He peer reviewed study by the Privacy Enhancing Technologies Symposium found that these VPNs, despite calling themselves independent companies, are actually grouped into three separate families of companies.
According to the findings, these are the three groups that contain the 18 VPNs:
- Family A: Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master Lite, Robot VPN, Snap VPN and SuperNet VPN
- Family B: Global VPN, VPN Inf, VPN Melon, VPN Super Z, VPN Touch, VPN ProMaster, VPN XY and VPN 3X
- Family C: X-VPN and Fast Potato VPN
Investigators determined that Family A VPNs are shared among three providers linked to Qihoo 360, a firm identified by the US Department of Defense as a Chinese military company. Family B VPNs use the same IP addresses from the same hosting company.
Know the parent company of your VPN
“It is also crucial to know what type of data the VPN provider shares with its parent company and affiliated entities,” Tomaschek said. “Some of these companies may even be required to record customer activity and share it with authorities, depending on the jurisdiction in which they operate.”
Despite the warnings, Tomaschek says it’s not that easy to find out who controls your VPN. But he says there are steps customers can take.
“Users can do a few things to make sure the VPN they use has a good reputation,” says Tomaschek. “Check the privacy policy, specifically for terms like ‘logging,’ ‘data sharing,’ or ‘data collection.’ A Google search for the provider can help determine if the VPN has been involved in questionable activity. Read detailed, unbiased reviews from reputable sources. Take extra care when signing in with a free VPN, even if it’s listed as a top pick in your app store.”
Vamshi says people and companies should be wary of VPNs that don’t have “independent audits, privacy policies, and transparency.” He recommends instead:
- Trusted, paid VPN providers that enforce strict no-logging commitments and undergo regular compliance reviews.
- Zero Trust/SASE solutions that provide secure, identity-based access.
PETS researchers examined the most downloaded VPNs on Android, looking for overlaps between business documentation, web presence, and code base. After identifying similarities in the codes, they were able to group the 18 VPNs into three groups. The study was initially driven by VPN Pro’s own findings, “Who owns your VPN? 105 VPNs managed by only 24 companies“.
“I would recommend removing it from your device immediately,” he said. “If you suspect that any sensitive personal data may have been compromised, it’s a good idea to keep an eye on your credit report and look into services such as dark web monitoring or identity theft protection.”