People opening an app store to pick a VPN often assume they are weighing independent options. A new study suggests the choice may be far narrower than it looks. After mapping the hundred most popular VPNs on Google Play, researchers discovered that eighteen of them were linked by shared ownership, common infrastructure, and code reuse. Together those apps had been downloaded over seven hundred million times.
The team sorted them into three families. One of them tied together well-known apps such as Turbo VPN, Snap VPN, VPN Proxy Master and others, which turned out to be built with almost identical code and even reused the same hidden libraries. Another included services like XY VPN, Global VPN and Melon VPN, all traced back to servers hosted by a single company. A third contained only X-VPN and Fast Potato VPN, but those two were found to use a near-identical custom tunneling protocol that disguised its traffic as DNS requests.
The research highlighted that technical overlap mattered as much as corporate ties. Decompiled Android packages revealed the same embedded files across different providers, including configuration data that stored encryption keys. As the authors wrote, “Hard-coded Shadowsocks passwords allow an attacker to decrypt the traffic of these providers’ clients.” In practice, this meant every user of a given app shared the same key, so anyone with access to the software could pull it out and read supposedly private connections.
Their testing also showed that many of the apps were open to blind on-path attacks, where an adversary on the same network or positioned between client and server can interfere with or infer details of the encrypted session. The weakness came from the way the apps used Shadowsocks, which was built to evade censorship rather than to guarantee privacy. Several versions even relied on rc4-md5, a cipher that cryptographers deprecated years ago.
Another point of concern was the handling of user information. The study observed that, “Even when the VPN did not request the location permission, it requested the zip code of the user’s public IP … which it subsequently uploaded to a Firebase endpoint.” Privacy policies often promised otherwise, yet the apps quietly collected and sent that data.
The overlaps also made it possible to connect the providers together in ways that ordinary users could not. The authors explained that they were able to take cryptographic credentials from one app and use them to establish a tunnel with the servers of another. In their words, “These apps share not only common ownership but a common set of security issues.”
For users, the findings cut to the core of what a VPN is supposed to provide. An app claiming to shield browsing activity but running with hard-coded keys and outdated ciphers offers little more than the illusion of protection. For app stores, the research highlighted how difficult it is to detect hidden relationships. Google Play listed the services as if they were independent, yet technical evidence showed otherwise. While security badges exist for some VPN apps, identity checks are far less consistent, leaving room for deceptive providers to register under different shell companies.
The wider message was that security-sensitive apps are being built with methods closer to repackaging than careful engineering. By reusing the same code and servers, providers made development cheaper, but they also created single points of failure. As the researchers warned, “These weaknesses nullify the privacy and security guarantees the providers claim to offer.”
Notes: This post was edited/created using GenAI tools.
Read next: Google Expands Circle to Search with Seamless Translation Feature
The team sorted them into three families. One of them tied together well-known apps such as Turbo VPN, Snap VPN, VPN Proxy Master and others, which turned out to be built with almost identical code and even reused the same hidden libraries. Another included services like XY VPN, Global VPN and Melon VPN, all traced back to servers hosted by a single company. A third contained only X-VPN and Fast Potato VPN, but those two were found to use a near-identical custom tunneling protocol that disguised its traffic as DNS requests.
The research highlighted that technical overlap mattered as much as corporate ties. Decompiled Android packages revealed the same embedded files across different providers, including configuration data that stored encryption keys. As the authors wrote, “Hard-coded Shadowsocks passwords allow an attacker to decrypt the traffic of these providers’ clients.” In practice, this meant every user of a given app shared the same key, so anyone with access to the software could pull it out and read supposedly private connections.
Their testing also showed that many of the apps were open to blind on-path attacks, where an adversary on the same network or positioned between client and server can interfere with or infer details of the encrypted session. The weakness came from the way the apps used Shadowsocks, which was built to evade censorship rather than to guarantee privacy. Several versions even relied on rc4-md5, a cipher that cryptographers deprecated years ago.
Another point of concern was the handling of user information. The study observed that, “Even when the VPN did not request the location permission, it requested the zip code of the user’s public IP … which it subsequently uploaded to a Firebase endpoint.” Privacy policies often promised otherwise, yet the apps quietly collected and sent that data.
The overlaps also made it possible to connect the providers together in ways that ordinary users could not. The authors explained that they were able to take cryptographic credentials from one app and use them to establish a tunnel with the servers of another. In their words, “These apps share not only common ownership but a common set of security issues.”
For users, the findings cut to the core of what a VPN is supposed to provide. An app claiming to shield browsing activity but running with hard-coded keys and outdated ciphers offers little more than the illusion of protection. For app stores, the research highlighted how difficult it is to detect hidden relationships. Google Play listed the services as if they were independent, yet technical evidence showed otherwise. While security badges exist for some VPN apps, identity checks are far less consistent, leaving room for deceptive providers to register under different shell companies.
The wider message was that security-sensitive apps are being built with methods closer to repackaging than careful engineering. By reusing the same code and servers, providers made development cheaper, but they also created single points of failure. As the researchers warned, “These weaknesses nullify the privacy and security guarantees the providers claim to offer.”
Notes: This post was edited/created using GenAI tools.
Read next: Google Expands Circle to Search with Seamless Translation Feature
