Delete Every App That's On This List—Your Phone Will Be Tracked

Forbes

a day ago

Two shocking warnings this week for smartphone owners — one common theme. Some of the most popular apps on your phone are spying on you, tracking you, promising to secure your data while doing the opposite. Find these apps and delete them.
What makes these warnings worse — much worse — is that these apps are VPNs, the virtual private networks that are soaring in popularity as a result of the porn bans now hitting users in the U.S. and Europe. VPNs tunnel all your data to and from the web, they see everything you do, it's hard to overplay the risk when 'mislead' you.
That's the TL;DR in a new report into 'hidden links' between VPNs with more than 700 million Google Play Store downloads. 'We use hidden relationships between supposedly distinct VPN providers as an indirect indicator of deceptive behavior,' the team says.
The hidden links identified by the team from Citizen Lab and Arizona State University are ownership related, multiple VPNs under different names but from one developer, and even more alarmingly the links between those developers and China. These 'secret families' of VPNs, the team, says, pose a very significant risk to all users.
The idea that millions of westerners are using dangerous Chinese VPNs to bypass porn bans in their own countries is ridiculous. But there are no rules against Chinese developers launching VPNs on mainstream app stores which they often give away for free. Their payment is the data they collect despite promising they don't.
'Even when the VPN did not request the location permission, it requested the zip code of the user's public IP from ip-api.com, which it subsequently uploaded to a Firebase endpoint. The apps' privacy policies all claim they do not collect user addresses (personal or business), yet we observed them to do so.'
That means tracking the location of your phone — data which can be sold or used for other purposes. Remember, the unique role of a VPN also means it can collect your location and details on websites you visit. All while you believe that activity is hidden. 'The undisclosed location collection issue is a major violation of user trust and privacy given the provider explicitly stated they did not collect such information.'
In reality, the only thing hidden is the nature of the VPN itself. And that's even more extreme in the second warning this week. Koi Security has discovered that while 'FreeVPN.One looked like a safe choice,' in reality 'once in your browser, it's not working to keep you safe, it's continuously watching you.'
And it's stark. 'Seconds after any page loads, a background trigger grabs a screenshot and sends it with the page URL, tab ID, and a unique user identifier. No user action, no UI hint, the screenshots are taken in the background without you ever knowing.'
Meanwhile, Citizen Lab and ASU 'identified and analyzed three families of VPN providers.' One of those families, 'InnovativeConnecting, Autumn Breeze, and Lemon Clove,' the team says, has been 'previously linked' to China's People's Liberation Army.
I've reported before on these links between popular, usually free VPNs and the Chinese state. 'Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies,' the Tech Transparency Project (TTP) warns.
The new report echoes this. 'We analyze the privacy and security of VPN apps whose providers intentionally disguise their ownership. We use hidden relationships between supposedly distinct VPN providers as an indirect indicator of deceptive behavior.'
Not only does this latest basket of VPNs track user locations, but it's actual security is alarmingly weak. 'These apps share not only common ownership but a common set of security issues. As such, these apps' providers are not merely misleading their users about their ownership but about the extent of their security properties as well.'
This includes the use of 'Shadowsocks passwords that are hard-coded into their APKs. Hard-coded Shadowsocks passwords allow an attacker to decrypt the traffic of these providers' clients, compromising the security claimed by these providers.'
Ironically, the security flaws are a digital fingerprint. 'We search for VPN-specific security issues in the deceptive providers' apps to uncover shared flaws. These shared flaws themselves serve as a signature by which to map relationships between providers.'
This closed network of VPN providers is now well-flagged. In addition to TTP's report, VPNPro has also investigated these links in the past. But nothing has changed, despite Google telling me that it is "committed to compliance with applicable sanctions and trade compliance laws. When we locate accounts that may violate these laws, our related policies or Terms of Service, we take appropriate action.'
The bar is higher for VPNs than ordinary apps. Do not use one that isn't fully secured — you're better protected without. While encrypted traffic from your device is protected, the metadata is not and the risk you will be redirected when browsing is high.
'These weaknesses nullify the privacy and security guarantees the providers claim to offer. These issues are even more concerning when accounting for the fact that the providers appear to be owned and operated by a Chinese company and have gone to great lengths to hide this fact from their 700+ million combined user bases.'
The list of apps is below. Given their 'misleading' security credentials, delete these from your phone. Here is a recap on the golden rules when it comes to VPNs:
List of VPNs flagged by new report: