A new report from the Tech Transparency Project (TTP) reveals that millions of users may be risking their privacy by using popular VPN apps secretly owned by Chinese companies. Despite national security concerns, these apps remain on Apple and Google’s app stores, potentially giving Chinese authorities access to a vast amount of sensitive user data, from banking logins to private messages. This raises serious questions about the vetting process of major tech platforms.
The Unseen Threat in Your Phone’s VPN
You download a VPN to protect your data, but what if it’s doing the opposite? That’s the core issue highlighted in a recent TTP report. Researchers identified 20 popular VPN applications with direct ties to China, a country known for its extensive state surveillance programs. These aren’t obscure, low-quality apps; many are highly-rated and have millions of downloads.
The investigation found that the problem is widespread. Ten of the identified VPNs are currently ranked among the top 100 most downloaded in their category. This means a significant number of people seeking online privacy might be unknowingly using a potential data funnel.
Some of the top-ranking apps named in the report include:
- Turbo VPN
- VPN Proxy Master
- Ostrich VPN
- X-VPN
X-VPN, for example, is ranked as the fourth most popular VPN in Apple’s App Store, showing just how mainstream these risky applications have become.
Hidden Owners and Deceptive Names
If you were to look up these apps, you would not find any obvious link to China. Their listings are polished, they are filled with positive reviews, and their developer names seem generic and harmless. For example, Turbo VPN is listed under a developer named “Free Connected Limited,” giving no hint of its true ownership.
However, digging deeper reveals a complex web of shell companies designed to hide the truth. The report traced Turbo VPN’s ownership back to Qihoo 360, a major Chinese cybersecurity firm. This company is so deeply connected to China’s military-industrial complex that it was sanctioned by the U.S. Commerce Department.
This practice is common. Developers use vague corporate names registered in offshore locations to make it nearly impossible for a regular user to trace who is handling their data.
Why a Chinese-Linked VPN is a Major Risk
The danger isn’t just theoretical. China’s National Intelligence Law of 2017 legally compels all organizations and citizens to “support, assist and cooperate with the state intelligence work.” This means if Chinese authorities ask a company for user data, the company has no legal choice but to comply.
Katie Paul, the director of TTP, emphasized the unique danger posed by VPNs. “Unlike a social media app, where your activity is platform-limited, VPN apps route all of a user’s activity online — including work, banking, medical logins, and private messages.” A compromised VPN has access to virtually everything you do on the internet.
App Stores Under Fire for Slow Response
Despite these serious findings, the response from Apple and Google has been alarmingly slow. Three months after the TTP report was published, most of the named apps are still available for download. Currently, 13 of the apps are on the App Store and 11 are on the Google Play Store.
This inaction stands in stark contrast to the intense regulatory scrutiny faced by other Chinese-linked apps like TikTok. It also highlights a frustrating double standard, as Apple has previously been quick to remove apps from its store at the request of the Chinese government. When it comes to protecting American users from potential surveillance, however, the same urgency appears to be missing.
How to Spot a Potentially Risky VPN
For the average user, identifying a dangerous VPN is difficult. A slick interface and thousands of five-star reviews can easily hide a risky ownership structure. However, there are a few red flags you can look for before downloading.
This table outlines some common warning signs:
| What to Check | Red Flag Example |
| App Developer Name | Generic names like “ALL Connected” or “Free Connected Limited” |
| Company Address | Vague, off-shore jurisdictions with no clear headquarters |
| No Website or Info | The developer has no transparent website with contact or ownership info |
| Ownership History | A quick search reveals links to Chinese parent companies |
| Inconsistent Branding | The same app appears under multiple names or developers |
While these tips can help, digital rights advocates argue the responsibility should not fall on the consumer. App stores like Apple’s and Google’s serve as gatekeepers and have a duty to ensure the software they promote is safe for users.
Frequently Asked Questions
What is the main risk of using a Chinese-linked VPN?
The biggest risk is that your personal data could be shared with Chinese authorities. China’s laws require companies to cooperate with state intelligence, meaning your browsing history, messages, and login credentials could be exposed without your consent.
Are all VPNs with Chinese ties dangerous?
While not every developer will misuse data, the legal framework in China creates a significant risk. Because companies are legally obligated to share data with the government if requested, any VPN subject to Chinese law cannot guarantee user privacy.
How can I find a safe VPN?
Look for VPNs based in countries with strong privacy laws, such as Switzerland or Panama. Choose providers that have a clear no-logs policy that has been independently audited. Avoid free VPNs, as they often make money by selling user data.
Why haven’t Apple and Google removed these apps?
Experts suggest it’s due to a lack of regulatory pressure. Without legal or financial consequences for hosting these apps, the tech giants have little incentive to act proactively. This may change as geopolitical tensions around data security continue to rise.
