These seemingly independent VPNs are all connected – and they pose a threat to your data

An academic study has revealed hidden links between a number of VPNs, with apps sharing ownership and even security flaws.

These apps can in no way be considered some of the best VPNs, but they are popular. The combined Google Play Store downloads of them exceed 900 million.

Earlier this year, we reported on VPNs having links to the Chinese military. Investigations were carried out by the Tech Transparency Project (TTP) and this study builds upon the TTP's work.

Many apps uncovered by the TTP appear in the new study and can be grouped into "families" – sharing developers, code, and vulnerabilities.

Many of these VPNs are free or have free versions. Here at Tom's Guide, we always recommend subscribing to a paid VPN over a free one. You get more features, faster speeds, and an all-around better VPN experience.

However, certain free VPNs are a safe option for those who don't want to pay or can't pay. But you should always choose a reputable provider, and our best free VPN guide can help you make that choice.

18 apps have hidden links

The study was titled "Hidden Links: Analyzing Secret Families of VPN Apps" and researchers investigated the top 100 most downloaded apps, according to SensorTower and AppMagic.

This was then filtered down to 50 after excluding apps US-based providers. Information was then collected from the apps Google Play page, website, GitHub, and social media. The app's Android Package Kit (APK), DNS records, and wider code was also investigated in a security analysis.

The researchers goals were to identify VPN-specific security threats and "uncover deception via provider linkage."

VPN server IP addresses, proxy traffic, API connections, VPN protocols, and layers of code were all examined, with 18 VPN apps being sorted into three groups – Families A, B, and C.

Family A:

Family A was made up of eight apps, from three providers. Other research has linked all these providers to the holding company Lemon Seed, which is in itself linked to Qihoo 360 and the Chinese military.

All these apps shared code, APKs, infrastructure, signatures, and weak encryption.

Family B:

These apps were found to use the same IP address, from the same hosting company. Two of these app's privacy policies also mentioned Innovative Connecting. Similar code structures and weak encryption was also found.

Family C:

Fast Potato was found to have no business filings according to OpenCorporates. The code of these two VPNs was found to be "structurally and functionally similar" and included the same custom VPN protocol.

Other:

Three apps were grouped into an "Other" category as they didn't appear to share any links – they're still considered potentially dangerous and we'd recommend you avoid them.

How to stay safe

We have highlighted some of these VPN apps and developers before and strongly advise against downloading any of them.

Your personal data may be at risk and the apparent murkiness of their ownership and development leaves us asking who can and can't see your data.

Reputable VPN providers pride themselves on upholding the highest standards of privacy and security and operating strict no-logs policies.

Many of the VPNs analyzed in this study fail to adhere to these security standards and researchers were able to decrypt information.

These weaknesses stem from the use of Shadowsocks, a proxy used to circumvent the Great Firewall of China. Shadowsocks isn't designed to protect privacy, merely bypass censorship.

This research highlights the dangers posed by unchecked VPNs and reinforces how important it is to download reputable VPNs.