A fresh report has renewed concerns about major VPN apps covertly linked to China — and how Apple and Google are still hosting them, despite national security red flags. The risk? Users might unknowingly hand over sensitive data to developers that could legally be required to share it with the Chinese state.
This isn’t about obscure or shady apps buried deep in the store. We’re talking about sleek, high-rated VPNs trusted by millions — now revealed to be owned, at least in part, by Chinese firms with alarming legal obligations.
Silent Gateways to Surveillance?
VPNs are supposed to be your shield. They route all your online traffic through secure servers, hiding what you do online from everyone — hackers, your internet provider, even your own government. So, when a VPN is secretly tied to a country known for aggressive digital surveillance like China, that shield suddenly becomes a potential funnel.
That’s the chilling point researchers at the Tech Transparency Project (TTP) made in their April 1 report. They found 20 high-ranking VPN apps owned by companies either based in China or linked to Chinese firms. Ten of them are among the top 100 most downloaded VPN apps right now.
Some of the apps in question? Turbo VPN, VPN Proxy Master, Ostrich VPN, and X-VPN — the last of which ranks fourth overall in the App Store’s VPN category.
The Hidden Web of Ownership
If you check the app listing for Turbo VPN, nothing screams “Beijing.” In fact, most users will see a polished design, thousands of glowing reviews, and round-the-clock support.
But behind that smooth façade is Qihoo 360, a Chinese cybersecurity giant sanctioned by the U.S. Commerce Department over ties to China’s military.
These apps aren’t transparent about who runs them. Most are filed under generic developer names like:
-
Free Connected Limited
-
GeWare Technology Limited
-
ALL Connected Co., Limited
These aren’t just random corporate aliases. They’re shell companies — often layered through multiple jurisdictions — to make it harder for anyone, even privacy-savvy users, to trace them back to China.
What Makes a Chinese VPN So Dangerous?
Let’s not forget — China’s National Intelligence Law of 2017 forces companies and even individuals to cooperate with its intelligence agencies when asked. That means data doesn’t just stay with the app developer.
Katie Paul, TTP’s director, broke it down clearly: “Unlike a social media app, where your activity is platform-limited, VPN apps route all of a user’s activity online — including work, banking, medical logins, and private messages.”
She’s not exaggerating. VPNs see it all.
So if you’re using one of these apps, your data might be sitting on a server in China — or worse, shared with authorities without you ever knowing.
The Double Standard Nobody Talks About
Here’s where it gets frustrating. TikTok, another Chinese-linked app, has been in the U.S. government’s crosshairs for years. Entire bills have been introduced to kick it off federal devices.
But VPNs — which arguably have access to far more sensitive user data — have somehow flown under the radar.
Three months after the TTP’s findings, Apple and Google still host nearly all the VPNs named in the report. That’s:
-
13 apps still live on the App Store
-
11 still downloadable from Google Play
Why the slow response?
Paul suggests it might be because there’s no regulatory pressure. “There are no legal or civil repercussions for failing to keep users safe,” she says. “It’s not about technical capability — it’s about incentives.”
Apple and Google: Look the Other Way?
There’s a bitter irony here. Apple has previously taken down hundreds of apps at China’s request — mostly ones that allowed access to content the CCP deems sensitive or subversive.
They can act fast when Beijing calls.
But when it’s about protecting U.S. citizens from apps potentially funneling their data to that same government? Not so much.
And the timing makes it even more concerning. With tensions between the U.S. and China deepening — especially around data security — regulators may soon have to step in where tech giants have dragged their feet.
How to Know If Your VPN Is a Trojan Horse
Most users have no clue how to spot a risky app. Clean user interfaces and five-star ratings are deceiving. But there are signs, if you know what to look for.
Here’s a simple table showing what you can check:
| What to Check | Red Flag Example |
|---|---|
| App Developer Name | Generic names like “ALL Connected” |
| Company Address | Vague, off-shore jurisdictions |
| No Website or Info | No transparent contact or support |
| Ownership History | Linked to Chinese parent firms |
| Inconsistent Branding | Multiple clones under different names |
Still, the average person probably won’t catch this. That’s why Paul and other digital rights experts argue the burden shouldn’t be on consumers.
Just like we expect seat belts in cars and warnings on cigarette packs, we should expect app stores to vet the software they promote — especially software that runs all your internet traffic.
