Hidden Links: Analyzing Secret Families of VPN Apps
Authors: Benjamin Mixon-Baca (ASU / Breakpointing Bad), Jeffrey Knockel (Citizen Lab / Bowdoin College), Jedidiah R. Crandall (Arizona State University)
Year: 2025
Issue: 2
Pages: 18–27
Abstract: Ownership transparency in the VPN ecosystem allows users to make informed decisions about who they trust with their data. Researchers have recently begun investigating the relationships between seemingly distinct providers and who operates them, but such analysis is currently limited to a small sample of providers in the VPN ecosystem. One known family of providers, Innovative Connecting, Autumn Breeze, and Lemon Clove, has been previously scrutinized by two research efforts linking them to the People’s Liberation Army. In our work, we identify and analyze three families of VPN providers. Combined, their download counts on the Google Play Store exceed 700 million. Similar to previous research, we use information from business filings and Android APKs to link distinct providers together. However, we build upon past work by introducing new methods for revealing how VPN providers are connected, showing that they even share VPN servers’ cryptographic credentials, including Shadowsocks passwords that are hard-coded into their APKs. Hard-coded Shadowsocks passwords allow an attacker to decrypt the traffic of these providers’ clients, compromising the security claimed by these providers. Therefore, our analysis reveals that these apps share not only common ownership but a common set of security issues. As such, these apps’ providers are not merely misleading their users about their ownership but about the extent of their security properties as well.
Copyright in FOCI articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
