Virtual Private Networks (VPNs) are often promoted as essential tools for privacy. But new research reveals that many of the most downloaded VPN apps actually hide their ownership, collect user data without consent, and rely on outdated or insecure encryption. Instead of protecting users, these apps create new risks for both individuals and organizations.
This matters for everyone. Employees who install third-party VPN apps on work devices, or even personal devices used in a corporate environment, can unintentionally create blind spots in security controls. And for the industry as a whole, the proliferation of deceptive VPN providers undermines trust in digital infrastructure.
The paper (I linked it above) examined VPN apps downloaded over 700 million times and discovered disturbing patterns:
Hidden ownership: Several families of VPN providers presented themselves as based in safe jurisdictions like Singapore, while records linked them back to Chinese companies, including those with ties to the People’s Liberation Army .
Weak security: Hard-coded Shadowsocks passwords, deprecated encryption like RC4-MD5, and flaws enabling blind in/on-path attacks all expose user traffic to interception .
Deceptive practices: Despite privacy policies, apps were quietly collecting user location data such as zip codes.
Shared infrastructure: Different apps from supposedly different providers used the same servers, credentials, and codebases, confirming hidden links.
In short, these apps were not only untrustworthy in their business practices, they were unsafe in their technical design.
Employees often install free or “fast” VPN apps to bypass restrictions, access foreign content, or create an illusion of privacy. What they actually do is:
Bypass security controls: Traffic leaving through a third-party VPN cannot be monitored, filtered, or logged by corporate security teams.
Enable exfiltration: Sensitive data can be tunneled out of the network, undetected, using insecure VPN channels.
Introduce hidden backdoors: VPN apps may connect to infrastructure controlled by unverified or even hostile entities.
The VPN app ecosystem is riddled with deceptive ownership and insecure implementations. These findings are not isolated; they represent systemic weaknesses. App stores host these applications, businesses underestimate their risks, and end users assume they are protected.
For the cybersecurity industry, this is a reminder that trust is earned not only through strong encryption but also through transparency, ownership, and accountability. ThreatSTOP brings these issues to light and provides a practical path to remediation: stopping rogue VPN traffic before it compromises your network.
ThreatSTOP’s mission is to ensure organizations never have to trust unknown VPN apps. Our protections are designed to cut off untrusted traffic at its source, including many of the apps listed in this paper!
Protective DNS (DNS Defense Cloud and DNS Defense): Blocks DNS lookups to known third-party VPN services, anonymizers, and malicious infrastructure before connections can be established.
IP Defense: Enforces policy directly at the firewall, router, IPS, or even AWS WAF, preventing data exfiltration or command-and-control traffic from reaching its destination.
The ThreatSTOP Security, Intelligence, and Research team continuously updates these protections, tracking infrastructure tied to VPN abuse, command-and-control, data theft, peer-to-peer misuse, and more.
Rogue VPNs represent both a user awareness problem and a systemic industry challenge. By proactively blocking them with ThreatSTOP, organizations gain visibility and control over traffic that would otherwise disappear into encrypted tunnels.
This proactive approach not only strengthens compliance and data protection, it ensures that attackers cannot quietly exploit unvetted VPNs as a channel into or out of your network.
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!
Connect with Customers, Disconnect from Risks
|
VPN Abuse Risk |
ATT&CK Technique ID |
ATT&CK Description |
|---|---|---|
|
Data exfiltration via unauthorized VPN |
T1041 |
Exfiltration over C2 Channel |
|
Command and control through VPN tunnels |
T1090.003 |
Proxy: Multi-hop Proxy |
|
Use of weak/deprecated encryption |
T1600 |
Weaken Encryption |
|
Hidden ownership and deceptive software |
T1584 |
Compromise Infrastructure |
|
Location tracking without consent |
T1530 |
Data from Cloud Storage Object / Exfiltration |
|
Blind in/on-path attacks |
T1565.002 |
Data Manipulation: Protocol Impersonation |