 [Nate Nelson, Contributing Writer](/author/nate-nelson)June 27, 2025 4 Min Read  Source: Facinadora via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cloud-security/apple-google-vpn-apps-china-spy-users)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cloud-security/apple-google-vpn-apps-china-spy-users)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cloud-security/apple-google-vpn-apps-china-spy-users)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cloud-security/apple-google-vpn-apps-china-spy-users&title=Top%20Apple%2C%20Google%20VPN%20Apps%20May%20Help%20China%20Spy%20on%20Users)[](mailto:?subject=Top Apple, Google VPN Apps May Help China Spy on Users&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Top%20Apple%2C%20Google%20VPN%20Apps%20May%20Help%20China%20Spy%20on%20Users%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcloud-security%2Fapple-google-vpn-apps-china-spy-users) Ten of the top 100 virtual private network (VPN) apps on the Apple App Store and Google Play are covertly owned by Chinese companies that may put user privacy in danger, researchers are warning.It’s in the name — virtual private networks are one of the most private, sensitive technologies anyone can use. Companies use them to guard valuable proprietary information and communications. At-risk journalists and citizens living under oppressive regimes use them to circumvent oppressive government impositions on Internet freedom and conceal their activity from prying eyes. The integrity of a VPN product is critical to data privacy, whether it be in an ordinary, risky, or potentially safety-critical situation. On April 1, researchers from the Tech Transparency Project (TTP) published a report about 20 popular VPN apps that they allege are under legal obligation to provide total access to the Chinese Communist Party (CCP), should the CCP request it. Despite the potential privacy threat to users, three months later, most of the apps [remain on Apple and Google’s app stores](https://www.techtransparencyproject.org/articles/spot-check-apple-and-google-still-have-a-chinese-vpn-problem). Popular, Risky VPNs——————-Imagine you were looking for a VPN to protect your mobile phone activity. You find an app rated 4.7 out of 5 stars on the App Store, based on 192,000 reviews. ‘Amazing’ is the title of the first review that pops up on its page: ‘The best VPN ever I’ve had this since 2016.’ The app is #51 in the Productivity category — the 18th most popular VPN app in the US App Store. The user interface (UI) is clean, and it offers 24/7 chat support. Related:[Scattered Spider Taps CFO Credentials in ‘Scorched Earth’ Attack](/cloud-security/scattered-spider-cfo-scorched-earth-attack)How is anyone supposed to tell that Turbo VPN Private Browser is a property of [Qihoo 360](https://www.darkreading.com/vulnerabilities-threats/chinese-isp-china-is-victim-of-foreign-state-backed-apt-group), a Chinese company sanctioned by the US Department of Commerce for its links to the People’s Liberation Army (PLA)?This is to say: These are not low-grade, unloved VPNs deep in your app store’s catalog — they’re the kind of apps you’d run into quickly, if you were looking for one. Turbo is a multimillion-dollar app and ranks in Google Play’s top 10 most popular VPN apps. On Apple’s store, though, Tech Transparency Project found three shady, Chinese VPN apps that rank even higher than Turbo: VPN Proxy Master, Ostrich VPN, and X-VPN, the fourth most popular VPN available. The most popular of these apps conceal their true nature behind complex webs of corporate ownership, fronted by shell companies with anglicized names. Some of the developers listed as owning these apps, for example: ‘Free Connected Limited,’ ‘GeWare Technology Limited,’ and ‘ALL Connected Co., Limited’ (another one linked to Qihoo 360).Related:[Hackers Make Hay? Smart Tractors Vulnerable to Full Takeover](/cloud-security/hackers-hay-smart-tractors-vulnerable-takeover)Hiding any Chinese origins is useful, because the National Intelligence Law of 2017 compels Chinese companies and individuals to cooperate with [state intelligence](https://www.darkreading.com/threat-intelligence/china-apt-stole-geopolitical-secrets-from-middle-east-africa-and-asia) and the broad mandate it enjoys to invade anyone’s privacy. This means that at any time, and for any reason, the Chinese government can demand an app developer hand over any or all data belonging to any or all of its users, including those from outside of China, such as US companies and individuals.It would be hard to imagine a more invasive privacy risk than if this law were imposed on a VPN app. ‘Unlike a social media app, where your activity is platform-limited, VPN apps route all of a user’s activity online — that includes your activity on password-protected sites, development of work products, searches, essentially everything a user visits when using the VPN,’ emphasizes TTP director Katie Paul.A Double Standard for Chinese Apps?———————————–When apps look and act perfectly normally and have hundreds of thousands of good reviews, regular smartphone users aren’t in a position to suss out whether they might somehow trace back to a shady Chinese company. The onus, then, may lie with the companies that operate the platforms where these programs are distributed. But with three months gone since TTP’s initial report on the issue, 13 outed VPNs on the [App Store](https://www.darkreading.com/cloud-security/apple-boots-half-million-devs-official-app-store) and 11 on [Google Play](https://www.darkreading.com/endpoint-security/90-malicious-apps-55-million-downloads-google-play) remain live today.Related:[Cloud Repatriation Driven by AI, Cost, and Security](/cloud-security/cloud-repatriation-ai-cost-security)It might seem like a mismatch in how the US handles privacy threats from Chinese apps. ‘There have been entire bills dedicated to keeping TikTok and DeepSeek AI off of government devices because of the national security and privacy risks of those single-use platforms’ ties to China,’ Paul points out, but ‘the threat of VPNs is much more significant because of the range of activity that takes place when they are in use.’Unfortunately when it comes to Big Tech, she says, ‘companies’ failure to do effective moderation or due diligence is a symptom of the fact that there are no measures for these companies to be held accountable for failing to keep their platforms safe. There are no regulatory bodies, legal or civil repercussions for their failure to keep users safe as they claim to.’Notably, Apple has previously removed hundreds of apps at the behest of the Chinese government, an entity the company relies on to keep its manufacturing chain in place. That shows Apple is more than capable of mitigating these harms but appears to only choose to do so when there are repercussions.’Dark Reading has contacted both Apple and Google for comment on this story. [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cloud-security/apple-google-vpn-apps-china-spy-users)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cloud-security/apple-google-vpn-apps-china-spy-users)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cloud-security/apple-google-vpn-apps-china-spy-users)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cloud-security/apple-google-vpn-apps-china-spy-users&title=Top%20Apple%2C%20Google%20VPN%20Apps%20May%20Help%20China%20Spy%20on%20Users)[](mailto:?subject=Top Apple, Google VPN Apps May Help China Spy on Users&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Top%20Apple%2C%20Google%20VPN%20Apps%20May%20Help%20China%20Spy%20on%20Users%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcloud-security%2Fapple-google-vpn-apps-china-spy-users) About the Author—————- [Nate Nelson, Contributing Writer](/author/nate-nelson)
Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote ‘Malicious Life,’ an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts ‘The Industrial Security Podcast.’ [See more from Nate Nelson, Contributing Writer](/author/nate-nelson) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi?a=1) More Insights Webinars* [New Research: Machine Learning Classifiers Don’t Need Negative Labels](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa8737&ch=SBX&cid=_upcoming_webinars_8.500001573&_mc=_upcoming_webinars_8.500001573)Jul 16, 2025* [Think Like a Cybercriminal to Stop the Next Potential Attack](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cmdc03&ch=SBX&cid=_upcoming_webinars_8.500001572&_mc=_upcoming_webinars_8.500001572)Jul 22, 2025* [Elevating Database Security: Harnessing Data Threat Analytics and Security Posture](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr156&ch=SBX&cid=_upcoming_webinars_8.500001574&_mc=_upcoming_webinars_8.500001574)Jul 23, 2025* [The DOGE-effect on Cyber: What’s happened and what’s next?](https://www.brighttalk.com/webcast/18975/628444?utm_source=brighttalk-darkreading&utm_medium=web&utm_campaign=curation04242025&cid=_upcoming_webinars_8.500001554&_mc=_upcoming_webinars_8.500001554)Jul 24, 2025[More Webinars](/resources?types=Webinar) Events* [-[Virtual Event-] Strategic Security for the Modern Enterprise](https://ve.informaengage.com/virtual-events/strategic-security-for-the-modern-enterprise/?ch=sbx&cid=_session_16.500334&_mc=_session_16.500334)Jun 26, 2025* [-[Virtual Event-] Anatomy of a Data Breach](https://ve.informaengage.com/virtual-events/an-anatomy-of-a-data-breach-and-what-to-do-if-it-happens-to-you/?ch=sbx&cid=_session_16.500333&_mc=_session_16.500333)Jun 18, 2025* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events) You May Also Like*** ** * ** ***[Сloud SecurityAI Cloud Adoption Is Rife With Cyber Mistakes](https://www.darkreading.com/cloud-security/ai-cloud-adoption-cyber-mistakes) [Сloud SecurityDisney, Nike, IBM Signatures Anchor 3M Fake Emails a Day](https://www.darkreading.com/cloud-security/disney-nike-ibm-signatures-3m-fake-emails) [Сloud SecurityCyberattackers Accessed HealthEquity Customer Info via Third Party](https://www.darkreading.com/cloud-security/cyberattackers-accessed-healthequity-customer-info-third-party) [Сloud SecurityPatch Now: ServiceNow Critical RCE Bugs Under Active Exploit](https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit)
Related Tags:
Play
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 51 – Information
Blog: Dark Reading
Associated Indicators: