The benefits of using a VPN service to protect your privacy are clear: Your ISP and other snoops won’t be able to spy on your online activity. What’s not always clear is which VPN service is trustworthy.
A VPN, or virtual private network, is software that creates a secure connection between your device and the internet by routing your internet traffic through an encrypted tunnel to a remote server. A VPN essentially masks your IP address and helps keep some of your browsing activities private. Recently, three university researchers have discovered that 18 of the most widely used VPNs on the Google Play store have shared infrastructures with serious security flaws that could expose customers’ browsing activity and leave it vulnerable to decryption. These VPNs are among the top 100 most popular on the Google Play Store, comprising more than 700 million downloads.
Best VPN Service for 2025: Our Top Picks in a Tight Race
The peer-reviewed study by the Privacy Enhancing Technologies Symposium found that these VPNs, despite calling themselves independent businesses, are actually grouped into three separate families of companies.
None of CNET’s recommended VPNs — ExpressVPN, NordVPN, Surfshark, Proton VPN and Mullvad — are on the list. (If you currently don’t have a VPN, here’s why you might want to start using one.)
According to the findings, these are the three groups that contain the 18 VPNs:
- Family A: Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master Lite, Robot VPN, Snap VPN and SuperNet VPN
- Family B: Global VPN, Inf VPN, Melon VPN, Super Z VPN, Touch VPN, VPN ProMaster, XY VPN and 3X VPN
- Family C: X-VPN and Fast Potato VPN
Researchers determined that the VPNs in Family A are shared between three providers linked to Qihoo 360, a firm identified by the US Department of Defense as a Chinese military company. The VPNs in Family B use the same IP addresses from the same hosting company.
Know your VPN’s parent company
It’s a cautionary tale about why it’s important to know who’s behind the VPN you’re using, says CNET senior writer Attila Tomaschek.
“It’s also crucial to know what kinds of data the VPN provider is sharing with its parent company and affiliated entities,” Tomaschek said. “Some of these companies may even be compelled to log customer activity and share it with authorities, depending on the jurisdiction in which they operate.”
Ashwin Vamshi, Head of Research & Detection Engineering for Cyble, said many of these shady VPNs are actually profiting off customer data. “Marketed as ‘free’ and promising ‘total anonymity,’ many of these services generate revenue by collecting, logging, and selling user data,” he told CNET. “In most of these cases, the consumer data become the product revenue stream placing privacy and security at significant risk.”
Despite the warnings, Tomaschek says it’s not so easy to figure out who controls your VPN. But he says there are measures that customers can take.
“Users can do a few things to help ensure the VPN they’re using is reputable,” Tomaschek says. “Check the privacy policy — specifically for terms like ‘logging,’ ‘data sharing’ or ‘data collection.’ A Google search of the provider can help determine whether the VPN has been involved in questionable activity. Read detailed, unbiased reviews from reputable sources. Be especially wary of signing on with a free VPN, even if it’s listed as a top choice in your app store.”
Vamshi says individuals and businesses need to be wary of VPNs don’t have “independent audits, privacy and transparency policies.” He recommends instead:
- Trusted, paid VPN providers that enforce strict no-logging commitments and undergo regular compliance reviews.
- Zero Trust / SASE solutions that deliver secure and identity-driven access.
The PETS researchers examined the most downloaded VPNs on Android, looking for overlaps among business paperwork, web presence and codebase. After identifying code similarities, they were able to group the 18 VPNs into three groups. The study was initially spurred by VPN Pro’s own findings, “Who owns your VPN? 105 VPNs run by just 24 companies.”
CNET’s Tomaschek has advice for anyone who has been using one of these 18 VPNs.
“I’d recommend deleting it from your device immediately,” he said. “If you suspect that any sensitive personal data may have been compromised, it’s a good idea to keep an eye on your credit report and look into services like dark web monitoring or identity theft protection.”
Read the full article here