Overview

• Citizen Lab and Arizona State University released the Hidden Links report on August 19 detailing three covertly connected Android VPN families that share code, credentials, and backend servers.
• Shared hard-coded Shadowsocks passwords and weak or deprecated ciphers allow eavesdroppers to decrypt, infer, or tamper with client traffic.
• The implicated apps, including Turbo VPN, VPN Monster, Snap VPN and others, collectively account for more than 700 million Google Play downloads.
• Researchers documented undisclosed collection of location-related data and heavy obfuscation that concealed ownership ties, including links previously reported to Qihoo 360.
• The report advises avoiding Shadowsocks-based apps for privacy and urges stronger Google Play developer verification and security auditing, with no widespread takedowns reported to date.