Virtual private networks are popular ways to keep your online activity private and hide your physical location from your internet service provider and apps. But it’s obviously important to choose a safe and secure VPN.
Three university researchers have discovered that 18 of the most widely used VPNs have shared infrastructures with serious security flaws that could expose customers’ browsing activity and leave their systems vulnerable to corrupted data. These VPNs are among the top 100 most popular on the Google Play Store, comprising more than 700 million downloads.
Read more: Best VPN Service for 2025: Our Top Picks in a Tight Race
The peer-reviewed study by the Privacy Enhancing Technologies Symposium found that these VPNs, despite calling themselves independent businesses, are actually grouped into three separate families of companies.
None of ‘s recommended VPNs — ExpressVPN, NordVPN, Surfshark, Proton VPN and Mullvad — are on the list. (If you currently don’t have a VPN, here’s why you might want to start using one.)
According to the findings, these are the three groups that contain the 18 VPNs:
- Family A: Turbo VPN, Turbo VPN Lite, VPN Monster, VPN Proxy Master, VPN Proxy Master Lite, Robot VPN, Snap VPN and SuperNet VPN
- Family B: Global VPN, Inf VPN, Melon VPN, Super Z VPN, Touch VPN, VPN ProMaster, XY VPN and 3X VPN
- Family C: X-VPN and Fast Potato VPN
Researchers determined that the VPNs in Family A are shared between three providers linked to Qihoo 360, a firm identified by the US Department of Defense as a Chinese military company. The VPNs in Family B use the same IP addresses from the same hosting company.
Know your VPN’s parent company
It’s a cautionary tale about why it’s important to know who’s behind the VPN you’re using, says senior writer Attila Tomaschek.
“It’s also crucial to know what kinds of data the VPN provider is sharing with its parent company and affiliated entities,” Tomaschek said. “Some of these companies may even be compelled to log customer activity and share it with authorities, depending on the jurisdiction in which they operate.”
Despite the warnings, Tomaschek says it’s not so easy to figure out who controls your VPN. But he says there are measures that customers can take.
“Users can do a few things to help ensure the VPN they’re using is reputable,” Tomaschek says. “Check the privacy policy — specifically for terms like ‘logging,’ ‘data sharing’ or ‘data collection.’ A Google search of the provider can help determine whether the VPN has been involved in questionable activity. Read detailed, unbiased reviews from reputable sources. Be especially wary of signing on with a free VPN, even if it’s listed as a top choice in your app store.”
The PETS researchers examined the most downloaded VPNs on Android, looking for overlaps among business paperwork, web presence and codebase. After identifying code similarities, they were able to group the 18 VPNs into three groups. The study was initially spurred by VPN Pro’s own findings, “Who owns your VPN? 105 VPNs run by just 24 companies.”
‘s Tomaschek has advice for anyone who has been using one of these 18 VPNs.
“I’d recommend deleting it from your device immediately,” he said. “If you suspect that any sensitive personal data may have been compromised, it’s a good idea to keep an eye on your credit report and look into services like dark web monitoring or identity theft protection.”
