The paper Hidden Links: Analyzing Secret Families of VPN Apps by Benjamin Mixon Baca, Jeffrey Knockel, and Jedidiah Crandall is the most brutal autopsy the VPN market has seen in years. It dissects the ecosystem with names, code snippets, and verifiable infrastructure evidence, and it leaves no plausible deniability for the companies involved.
700 million installs built on deception
The authors confirm that apps like TurboVPN, VPN Proxy Master, Snap VPN, VPN Monster, Melon VPN, Global VPN, XY VPN, and Super Z VPN are not independent providers. They are fronts. The paper states these companies “intentionally disguise their ownership” and rely on Singapore shell corporations that mask ties to Chinese operators previously linked to the PLA.
The illusion of separate brands collapses once you examine their binaries. Shared servers. Shared cryptographic material. Shared native libraries. Shared developer fingerprints. The researchers show that these apps do not merely look similar. They are the same product wearing different skins.
The ugliest finding. Hard coded encryption keys
This is the part that detonates any trust a user might have left. The researchers found that entire VPN families use the same hard coded Shadowsocks passwords across all users. Their words. “A network eavesdropper can decrypt all traffic for all clients using the apps” because the symmetric key is static and embedded in the app itself.
TurboVPN. VPN Monster. Proxy Master. Snap VPN. All of them rely on the same AES 192 ECB scheme to unwrap a config blob called server_offline.ser. Once extracted, the password decrypts any user’s traffic. The paper includes screenshots demonstrating decrypted network sessions in real time. “Hard coded keys in VPN Proxy Master enable a network eavesdropper decrypt traffic” using nothing more than the password pulled from the app’s memory dump.
This is not a misconfiguration. This is a catastrophic design decision that invalidates the concept of a VPN.
The illusion of choice
The authors proved that dozens of branded VPNs are controlled by a small number of hidden operators. They established tunnels from one company’s extracted credentials to another company’s servers and succeeded. This is not market diversity. It is a network of cloned apps feeding into the same backend.
The paper states plainly that these apps “share not only common ownership but a common set of security issues” that expose users to identical risks across all these brands.
Quiet location tracking despite explicit denials
The apps repeatedly requested the user’s ZIP code and IP geolocation from ip-api.com, then uploaded it to Firebase, even when location permissions were denied. The privacy policies claimed no such data was collected. The researchers write. “We observed them to do so” while analyzing live requests from the apps.
If a VPN lies about location data, the rest of its promises are worthless.
Shadowsocks. Not a privacy tool. Not a VPN.
The paper reminds readers that Shadowsocks “was not designed to satisfy confidentiality or integrity” and was built for censorship circumvention, not privacy.
These companies not only used Shadowsocks as a VPN substitute. They paired it with global static passwords. That is negligence on a level that borders on malicious intent.
Obfuscation as a weapon
The researchers uncovered fake PNGs that decrypted into IPsec configuration data, native libraries rigged to assemble encryption keys at runtime, and code designed to frustrate auditing. The paper calls these “defense mechanisms” whose purpose was to mislead analysts and automated tools, not to improve user safety.
If a VPN has to hide how it works, it is because the truth is worse than the marketing.
Actual security recommendations backed by evidence
The paper ends with recommendations that align with what any competent privacy service should already be doing.
• Do not use Shadowsocks for privacy or VPN tunneling. • Do not use any VPN with hard coded symmetric keys. • Do not trust providers who hide ownership behind shell entities. • Use modern, audited protocols like WireGuard or OpenVPN. • Use services that generate per device keys, not shared credentials. • Use services that collect no telemetry and no location metadata. • Use software with transparent operation rather than obfuscated binaries. • Use providers that avoid home rolled crypto and static passwords.
These are the minimum requirements for handling your network traffic.
The business model is the vulnerability
The authors make a final point that seals the case. These failures were not mistakes. They were predictable consequences of an ecosystem built on deception and ultra low cost development. They write that these issues “nullify the privacy and security guarantees the providers claim to offer” and that the companies “went to great lengths to hide” their true operations from hundreds of millions of users.
The conclusion is simple. Free VPNs built on ad funnels and shell companies are not privacy tools. They are security liabilities with a connect button.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What did the study reveal about VPN ownership
It showed that many top VPN apps are operated by the same hidden entities despite claiming to be separate companies.
Why are hard coded passwords catastrophic
Because a single extracted password allows anyone to decrypt all users’ traffic.
Did the VPNs collect location data despite denials
Yes. The researchers observed ZIP code and IP based geolocation being uploaded.
How many users were affected
The identified families exceeded 700 million installs on Google Play.
What protocols should users trust instead
Use WireGuard or OpenVPN with per device keys and no shared credentials.