Citizen Lab analysts warned that more than 20 VPN apps on the Google Play store have serious security issues that threaten users’ privacy and allow transmitted data to be decrypted. In total, these apps account for 972 million downloads.
Experts report that the VPN providers distributing the problematic apps are clearly linked to each other. At the same time, they claim to be separate companies and use various methods to conceal the true state of affairs.
The Citizen Lab report builds on previous research that identified links between three VPN providers supposedly based in Singapore — Innovative Connecting, Autumn Breeze, and Lemon Clove. All of these companies were previously tied to a Chinese national, and now analysts have uncovered additional overlaps among the apps, as well as connections to other VPN apps and their developers.
According to the report, eight VPN apps developed by Innovative Connecting, Autumn Breeze, and Lemon Clove share code, dependencies, and hardcoded passwords, which could potentially allow attackers to decrypt all user traffic. Collectively, these apps have over 330 million installs on the Google Play Store.
All three companies, which were previously linked to Qihoo 360 (a Chinese cybersecurity company sanctioned by the U.S. in 2020), offer VPN services and rely on the Shadowsocks protocol, which was originally created to bypass the Great Firewall of China.
The researchers note that the protocol uses symmetric encryption and is vulnerable to various attacks due to the use of outdated ciphers and hard-coded passwords. In addition, its interaction with the operating system’s connection tracking system allows attackers to take control of victims’ connections.
Eight apps (Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master – Lite, Snap VPN, Robot VPN, and SuperNet VPN) support the IPsec and Shadowsocks protocols, likewise exhibit significant code overlap, and employ various anti-analysis mechanisms to evade automated security checks.
All the applications examined by the researchers were vulnerable to connection-tampering and packet injection attacks. They all secretly collect users’ location data, use weak encryption, and contain the same hardcoded password for the Shadowsocks configuration.
Using this password, Citizen Lab discovered that all three VPN providers offering these apps use a single infrastructure, which further confirms the connection between them.
At the same time, it is noted that another group of providers — Matrix Mobile PTE LTD, ForeRaya Technology Limited, Wildlook Tech PTE LTD, Hong Kong Silence Technology Limited, and Yolo Mobile Technology Limited — may also be linked to the aforementioned trio, given their use of identical protocols, similarities in code, and obfuscation.
Their VPN solutions, with more than 380 million total downloads, also turned out to be vulnerable to man-in-the-middle attacks, contain obfuscated passwords, and connect to the same set of IP addresses.
Two other providers — Fast Potato Pte. Ltd and Free Connected Limited — offer VPN clients that rely on the same proprietary implementation of the protocol.
According to Citizen Lab, the identified security and privacy issues in the studied apps affect users in different ways. For example, they can undermine trust and privacy through the covert collection of location data, and they can also expose people to the risk of traffic interception and modification.
“The issues we identified affect users, service providers, and app stores. VPN users who value their privacy are, at the very least, advised to avoid using Shadowsocks, including apps from these developers, since Shadowsocks was designed not to provide privacy but to circumvent censorship,” Citizen Lab concluded.
Â
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →