These Popular Free Vpns All Share The Same Shady Security Practices - Here's Why

Elyse Betters Picaro / ZDNET

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Three VPN families analyzed, linking 18 apps to genitor groups.
• Security issues found, including hard-coded Shadowsocks keys.
• Study shows galore free VPNs whitethorn person shady information practices.

A caller world study has revealed suspicious origins and information vulnerabilities successful apps collectively downloaded from nan Google Play Store complete 700 cardinal times.

When you take a Virtual Private Network (VPN) service, it is imperative that you prime 1 pinch a coagulated estimation and precocious information standards. It's important that robust encryption is successful spot and nan VPN supplier is known for protecting its users, quickly patching information issues, and being transparent astir wherever it comes from and really it handles personification data.

Also: Best VPN services 2025: The champion VPNs for accelerated speeds and streaming

Unfortunately, not each VPN work commits to these principles, and this isn't ever clear to consumers, arsenic highlighted successful a caller study published arsenic portion of nan Privacy Enhancing Technologies Symposium (PETS). Co-authored by Benjamin Mixon-Baca, Jeffrey Knockel (from Citizen Lab), and Jedidiah R. Crandall, nan world paper, titled Hidden Links: Analyzing Secret Families of VPN Apps (.PDF), explores 3 families of VPNs, narrowed down from nan apical 100 VPNs disposable successful nan Google Play Store.

'Nearly identical' Java code

Despite galore of them trading themselves arsenic independent VPNs, nan 3 families, arsenic listed below, person markers that bespeak nan aforesaid origins aliases genitor companies:

• Family A - Providers: Innovative Connecting, Lemon Clove, Autumn Breeze | VPNs include: Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master -- Lite, Snap VPN, Robot VPN, SuperNet VPN
• Family B - Providers: MATRIX MOBILE PTE LTD, Super Z VPN, The Tool Tech, Fruit Security Studios, WILDLOOK TECH PTE. LTD. | VPNs include: Global VPN, XY VPN, Super Z VPN, Touch VPN -- Stable & Secure, VPN ProMaster, 3X VPN, VPN Inf, Melon VPN
• Family C - Providers: FreeConnectedLimited, Fast Potato | VPNs include: X-VPN, Fast Potato VPN

In Family A, each VPN app contained "nearly identical" Java code, shared libraries, assets, and infrastructure. Family B -- immoderate of whose apps reference Family A's Innovative Connecting successful their privateness policies -- shares VPN IP addresses. Family C's VPNs stock akin code, nan aforesaid obfuscation, and "a shared, proprietary protocol implementation."

Also: How VPNs are helping group evade accrued censorship - and overmuch more

Among nan information issues discovered successful these apps were nan usage of hard-coded Shadowsocks passwords successful their APKs, which nan researchers statement "allow an attacker to decrypt nan postulation of these providers' clients, compromising nan information claimed by these providers." Vulnerabilities to blind-side attacks, anemic encryption, and weaknesses to relationship conclusion attacks were besides uncovered.

Even if immoderate aliases each of these VPNs are legitimate, it tin beryllium considered a deceptive believe not to disclose links and shared infrastructure for seemingly independent apps.

The researchers statement location whitethorn beryllium reasons for trying to support each marque separate, citing improvement and guidance costs. Still, nan information problems revealed by nan study are concerning.

Also: Why I still urge NordVPN to astir group successful 2025 - particularly pinch nan latest update

"App stores for illustration nan Play Store are successful a challenging position fixed nan scalability limitations astir vetting developers and identifying package pinch misleading information properties successful their store," nan researchers say. "Google offers a information audit badge for VPN apps, but making specified a badge mandatory for VPN apps and offering an personality verification badge for developers who spell done an personality verification process mightiness supply users further accusation and protection."

Little successful life is genuinely free

If you usage a free aliases chartless VPN, you person to support successful mind that VPN server infrastructure costs money to run, and truthful successful astir cases, you are trading thing other successful return for access.

Also: When you should usage a VPN - and erstwhile you shouldn't

Usually, free VPNs will collect, store, and stock your information for targeted advertizing purposes aliases otherwise, aliases they whitethorn bombard you pinch ads to make revenue. As this investigation perchance indicates, free aliases "lite" VPNs whitethorn not beryllium trustworthy and whitethorn person a litany of information problems, which tin consequence your individual privateness and data.

If you want to usage a VPN to amended your privateness online, we person compiled a database of our favorite VPNs successful 2025 -- arsenic good arsenic a guideline to nan fewer trustworthy, free VPN services retired there. Thankfully, nary of our favorites -- including NordVPN, ExpressVPN, Proton VPN, aliases Surfshark -- were tied to this research.