Researchers at Arizona State University and Citizen Lab have discovered that three families of Android VPN applications, used by millions of people worldwide, are related and owned by companies or individuals located in mainland China or Hong Kong with ties to the People’s Republic of China.
The researchers analyzed numerous VPN apps and the number of Google Play Store downloads, including the Java code and security flaws of each app. From their research, they identified three families of VPN providers and the number of downloads. The apps in the first group contained identical security flaws, including that they:
- Collect location-related data (even though their privacy policies say they don’t);
- Use weak/deprecated encryption; and
- Contain hard-coded Shadowsocks passwords, which if extracted, may allow attackers to decrypt user traffic. These hard-coded credentials work across different apps and servers, proving that these providers use the same backend infrastructure.
They found a single company hosts all of the VPN servers in the second group, and that the VPN apps in the third family “are susceptible to connection interference attacks using the client-side blind in/on-path attacks.”
Significantly, the researchers found that “the providers appear to be owned and operated by a Chinese company (i.e., Qihoo 360) and have gone to great lengths to hide this fact from their 700+ million combined user bases.”
The Tech Transparency Project (TTP) provided an in-depth analysis of Qihoo 360 as a national security threat in its article “Apple Offers Apps With Ties to Chinese Military,” that is well worth the read.
According to the article, “[m]illions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.” They discovered that “one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a ‘Chinese Military Company.’”
They further found that “one Chinese VPN has been advertised on Facebook and Instagram to teens as young as 13, and some have targeted ads at Americans looking to keep using TikTok, another Chinese app threatened with a U.S. ban.”
While the researchers from Arizona State University and Citizen Lab did an in-depth analysis of the apps owned by Qihoo 360 (which found that the apps were downloaded over 70 million times), TTP provides more information about Qihoo 360 and its national security risk. According to TTP, Qihoo 360 was placed on the Commerce Department’s Entity List. It was sanctioned in June 2020 as it “takes part in the procurement of commodities and technologies for military end-use in China.” It was also “designated by the U.S. Department of Defense as a ‘Chinese military company’ operating in the U.S.”
Similar to the concerns raised by TikTok and Temu, the free VPN services provided by Qihoo contain risks that users should consider. Research your VPN provider to ensure that it does not have ties to the Chinese Communist government.
[View source.]
