Back in April, an investigation found several potentially dangerous VPNs listed on the Apple App Store and Google Play Store.
The discovery didn't concern any of the best VPNs – these providers are reputable and safe – but over 20 VPNs were found to have links to the Chinese military and posed a risk to anyone who downloaded them.
The Tech Transparency Project (TPP) was behind the investigation, with the Financial Times also contributing to the report.
Two months later, the TPP has found that many of these dangerous VPN apps remain on app stores – and Apple and Google may even be profiting from these apps that put the data of Americans, and national security, at risk.
Over 10 VPNs still listed
The true ownership of these VPNs is deliberately confusing. Layers of offshore shell companies obscure the actual owners and hide their Chinese links.
The company Qihoo 360 was revealed as the owner of at least five apps. Qihoo 360 has previously been declared a "Chinese Military Company" and was sanctioned by the US in 2020.
Turbo VPN, VPN Proxy Master, Thunder VPN, Snap VPN, and Signal Secure VPN were at least five of the VPNs that were connected to Qihoo 360.
Qihoo 360 is not listed as the app's developer, but the TPP's earlier investigation traced app ownership back to the company.
The TPP reported that Thunder VPN and Snap VPN had been removed from the US Apple App Store, but Tom's Guide saw Thunder VPN listed.
In its new update, the TPP reported that Thunder VPN had now been removed, along with Signal Secure VPN.
However, at the time of writing, Tom's Guide found that Thunder VPN was still present on both the UK and US Apple App Store, along with Turbo VPN and VPN Proxy Master.
The TPP reported that 11 other Chinese-linked VPNs also remained on the Apple App Store.
These VPNs were: X-VPN, Ostrich VPN, VPNIFY, VPN Proxy OvpnSpider, WireVPN, Now VPN, Speedy Quark VPN, Best VPN Proxy AppVPN, HulaVPN, Wirevpn, and Pearl VPN.
The TPP reported that Turbo VPN, VPN Proxy Master, Snap VPN, and Signal Secure VPN were all found on the US Google Play Store, as well as seven other Chinese-linked VPNs.
These were: X-VPN, Speedy Quark VPN, vpnify, Ostrich VPN, VPN Proxy OvpnSpider, HulaVPN, and VPN Proxy AppVPN.
Tom's Guide also confirmed that at the time of writing Turbo VPN, Thunder VPN, VPN Proxy Master, Signal Secure VPN were all present on the US Google Play Store. But it also confirmed that Snap VPN was present, contrary to what the TPP found.
Why are these VPNs potentially dangerous?
Chinese data laws mean the government can demand companies share data with them. The absence of a verified no-logs policy results in copious amounts of user data being collected and stored by these VPNs.
Data can include IP addresses, browsing activity, device identifiers, and location. The sharing of this data with the Chinese government can pose a serious risk to Americans and, in the worst case, a US national security risk.
Currently there is no evidence to suggest a serious threat, but how much American data has been accessed is unknown. The fact collection can take place, and potentially be exploited, is a cause for concern.
It isn't just Chinese-owned VPNs that are a threat. There are numerous dangerous and fake VPNs out there – owned and operated by countries all over the world.
US-based big tech giants, such as Apple and Google, have equally poor privacy credentials. They collect data from millions of Americans and are more than happy to pass it on to governments.
Profits for Apple and Google?
All the VPNs discussed are free to download, but many offer in-app purchases and provide the option to upgrade to premium plans.
Subscriptions can be taken out by the user and this means Apple and Google could be taking a cut of any in-app purchases made.
Apple states that it takes a 30% cut of in-app purchases (15% for those enrolled in its small business program). Google charges 15% for sales up to $1 million and 30% for anything above that.
Apple's App Review Guidelines say "apps offering VPN services may not sell, use, or disclose to third parties any data for any purpose, and must commit to this in their privacy policy."
Google Play also has a VPN app policy which states a VPN service cannot be used to "collect personal and sensitive user data without prominent disclosure and consent."
Tom's Guide approached both Apple and Google for comment.
A Google spokesperson said: "Google is committed to compliance with applicable sanctions and trade compliance laws."
"When we locate accounts that may violate these laws, our related policies or Terms of Service, we take appropriate action."
"Google Play is committed to protecting user privacy and providing a safe and secure environment for our users."
"Apps that are deceptive, malicious, or intended to abuse or misuse any network, device, or personal data are strictly prohibited."
Apple told us it doesn't limit an app's ownership and it has strict guidelines for VPN app developers. It said VPN apps must clearly state what user data is collected, if any, and how it will be used.
No data must be disclosed to third parties, and developers must commit to this in their privacy policies.
Apple said that it is in full compliance with regulations and the law. If it finds a developer breaking any rules, action will be taken against them.
Steps to take
Two months after first highlighting the dangers of these apps, we can continue to advise you to stay away from them. Despite being popular, these VPNs should not be downloaded or used.
Every VPN we recommend on Tom's Guide is reputable, safe, and won't put your data at risk. We look for, and analyze, no-logs policies to ensure they don't collect, store, and share your data.
Verified no-logs policies are a must-have for the leading and most secure VPNs, and Windscribe's recent court case showed just how important they are.
You shouldn't always trust the number of app store downloads or reviews a VPN app has and our range of guides can help you make an informed VPN decision.
Not all free VPNs are dangerous. The best free VPNs will protect your data with the same level of encryption as their paid counterparts and are covered by the same no-logs policies.
We'd also recommend a paid VPN over a free one. But if a free VPN is all you can manage, the providers we recommend will protect you and your online activity.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
