The 'VPN Factory' creating ad-infested apps – how one developer launched 39 cloned VPNs without a working website

Research has uncovered how VPN app developers are operating a VPN factory, launching dozens of ad-infested cloned VPN apps – amassing hundreds of thousands of downloads between them.

Karastm was the largest of these developers, boasting 39 clone Android VPN apps. All are littered with ads and have no working website or customer support.

None of the VPNs examined feature in our best VPN lists. However many of Karastm's apps had over 100,000 downloads. We can't say for sure these are all genuine downloads but many unassuming VPN users will believe their data is safe with these apps. In fact, these apps seemingly put user data at risk and make money off it.

The investigation, conducted by our friends at TechRadar, analyzed 3,471 Android VPN apps. They found that 77% failed basic accountability and transparency tests, such as not having a website, privacy policies and/or functioning email addresses.

39 apps with hundreds of thousands of downloads

Karastm's Google Play Store page lists 39 VPN apps. 38 of those are the same, carbon-copy, "(country) VPN – Fast & Secure." Apps include:

• USA VPN – Fast & Secure: 500,000+ downloads
• Germany VPN – Fast & Secure: 100,000+ downloads
• Brazil VPN – Fast & Secure: 100,000+ downloads
• India VPN – Fast & Secure: 100,000+ downloads
• United Kingdom VPN – Fast & Secure: 10,000+ downloads

USA VPN – Fast & Secure appears to be the developer's most popular app, with 500,000+ downloads displayed on its Google Play Store page. It has a rating of 3.6 stars from 2,530 reviews.

RodNet VPN is the only app listed on Karastm's page to not follow the "(country) VPN – Fast & Secure" naming convention. It has 100,000+ downloads and a 4.6 star rating from 2,490 reviews.

All VPNs on Karastm's page list the same support email – chancedanika866@gmail.com – and says it is based in Turkey. The email is a free-to-use Gmail account and, as part of the investigation, researchers contacted the email address with a VPN support question.

216 mid-sized Android VPN apps were sent the following email:

‘Hi, I'm using your Android VPN but it often won't connect, is there anything I can do? Thanks!’

After 14 days, only 19 responses were received – 8.8% – and none of those responses were from Karastm.

Karastm provides a link to its website under the App Support section of its Google Play Store page. The link for its clone VPN apps redirects back to its main Google Play Store developer page. The link for RodNet VPN takes you to a Google-Ads related list.

Of the 3,471 analyzed apps, 55% had substandard substandard or inaccessible privacy policy and 63% use personal email addresses.

Karastm's data privacy practices

Each of Karastm's apps says it contains ads. Being a free VPN, we'd imagine this is how the developer makes money. The apps also say there is no way your data can be deleted.

The apps say your data is encrypted, no data is shared with third-parties, and no user data is collected. However, its vague and seemingly-cloned privacy policy suggests otherwise.

Examining the privacy policy for USA VPN – Fast & Secure, the privacy policy says personal information provided is "retained on your device" and not collected by the app's developer. However it says third-party services – Google Play Services and AdMob – "may collect information used to identify you."

The privacy policy states that your IP address, device name, OS, app configuration, time and date of use, and "other statistics" will be collected "in a case of an error in the app." Further down, the developer says they "cannot guarantee" absolute personal information security but strives "to use commercially acceptable means of protecting it."

The privacy policy is written from a first-person point of view, with consistent use of "I" and appears to be generated. The bottom of the policy states: "This privacy policy page was created at privacypolicytemplate.net and modified/generated by App Privacy Policy Generator."

Other than the name of the app and the privacy policy's date of creation, all Karastm's apps appear to have identical privacy policies.

What can we learn from Karastm's apps?

Apps like Karastm's should trigger alarm bells. A developer with a factory of VPNs is unlikely to be offering a quality service. No website, a copy-and-pasted privacy policy, and no official support email or company structure should all be considered signs to avoid these VPNs – and others like them.

Karastm isn't the only developer running a "VPN factory." The developer helalik has 22 apps in total. Like Karastm, most follow the "(country) VPN – Fast & Secure" formula and are based in Turkey. The privacy policies look exactly the same as those for Karastm's apps and have been created via the same privacy policy generator.

The support email is also hosted by Gmail – helalikarim463tye@gmail.com – and all share the same broken, non-existent, website link.

The security and privacy standards of these apps cannot match those offered by big name VPNs and your data may be collected and/or used for advertising.

Regardless of reviews, we'd recommend you avoid these apps and only download reputable VPNs certified as safe by Tom's Guide. If you don't want to pay for a premium VPN service, then the best free VPNs will protect your data just as well.

PrivadoVPN Free, Proton VPN Free, and Windscribe Free are all secure, maintain the same privacy standards as their paid counterparts. They're not feature-packed but will be more than good enough for daily browsing and limited streaming.

There are plenty of genuinely safe VPNs that exist, and our guides can help you find the right one for you.