A new study has uncovered that more than 20 VPN apps on the Google Play Store share the same codebases and infrastructure, despite presenting themselves as independent services. Together, these apps account for 20 of the 100 most-downloaded VPNs on the platform, with a staggering 700 million users.
The findings raise serious questions about trust and transparency in an industry built on privacy — and highlight how poorly app stores may vet VPN providers.
The research, conducted by The Citizen Lab at the University of Toronto, traced these apps back to just three VPN families, some with ties to Russia and China. Investigators used business filings and forensic analysis of Android APKs to uncover the hidden connections.
Family A was tied to Innovative Connecting, Autumn Breeze, and Lemon Clove, and included major players like Turbo VPN, VPN Proxy Master, and Snap VPN — all of which shared identical code and assets. Family B, linked to Matrix Mobile, ForeRaya Technology, and Wildlook Tech, operated XY VPN, 3X VPN, and Melon VPN, which used the same VPN addresses. Family C, made up of Fast Potato and Free Connected Limited, controlled Fast Potato VPN and X-VPN.
Mashable Light Speed
Beyond a lack of transparency, the study also found serious security flaws. Some apps reused login credentials for ShadowSocks, a tool for bypassing firewalls. Others relied on outdated encryption algorithms, leaving users more exposed. Most concerning of all, all three VPN families were vulnerable to blind on-path attacks — meaning hackers on the same network, such as public Wi-Fi, could intercept traffic without either party realizing it.
The researchers noted that app stores have limited ability to verify who operates a VPN or how it’s built, since their review systems are largely focused on malware detection and privacy violations. As a remedy, they suggested introducing a security audit badge for VPNs — a certification that could give users more confidence in the apps they choose.
The specifics of Google’s app review process remain unclear. According to a support page, developers must provide a privacy policy, disclose whether the app contains ads, obtain a content rating, and share the app’s privacy and security practices with Google in order to pass review.
Google did not immediately respond to our request for comment on its verification practices.
