A recent study examines massive families of VPN apps, totalling over 700 million Google Play downloads, that masquerade under different names yet share hidden ownership, cryptographic credentials, and serious security flaws. Researchers found that many apps use hard-coded Shadowsocks passwords and deprecated ciphers, making it possible to decrypt user traffic and bypass claimed privacy protections. Because these VPNs often disguise their provider identities and reuse insecure components, large user bases are exposed to risk even if only one app in the family is compromised.
Read the full report here.