Millions of people trust virtual private networks (VPNs) to keep their online activity safe and anonymous. But what if the very VPNs they rely on are secretly linked to a Chinese cybersecurity firm blacklisted by the U.S. government?
A new investigation has revealed that at least five VPN apps available on Apple’s App Store and Google’s Play Store have connections to Qihoo 360, a Chinese company sanctioned by the U.S. for its alleged ties to the Chinese military. These apps include Turbo VPN, VPN Proxy Master, Thunder VPN, Snap VPN, and Signal Secure VPN.
The U.S. government sanctioned Qihoo 360 in 2020, cutting it off from American technology. Later, it was placed on a list of Chinese companies suspected of military links. Despite these restrictions, its VPN apps remained widely available to millions of users worldwide.
Hidden Ownership and Data Privacy Risks
The companies behind these VPNs have a complicated ownership structure. They are operated by a Singapore-based company called Innovative Connecting Pte, which is owned by Lemon Seed Technology, a company registered in the Cayman Islands. Qihoo 360 purchased Lemon Seed and two other companies in early 2020 for nearly $70 million.
3 Asian Giants Japan, China and South Korea Unite Against US Tariffs, Pursue Bold Free Trade Pact
Later that year, after facing U.S. sanctions, Qihoo claimed to have sold its VPN business, but evidence suggests otherwise. A subsidiary in Guangzhou, China, continued to employ developers working on these VPNs. This subsidiary remained part of Qihoo for years before being sold for a suspiciously low amount in 2023 to a newly created firm in Beijing.
Even after the supposed sale, employees in Guangzhou admitted they were still working on these foreign VPNs. One programmer said, “You could say that we’re part of them and you could say we’re not. It’s complicated.”
This raises major concerns about who truly controls these VPNs and what happens to the data they collect. China’s national security laws require companies to share data with government authorities if asked. This means millions of users worldwide might be unknowingly sending their internet traffic through servers controlled by a firm with ties to the Chinese government.
Tech Giants Under Scrutiny for Hosting These VPNs
Apple and Google have strict rules about VPN apps collecting user data without permission. Apple specifically bans VPNs from sharing data with third parties. However, enforcing these rules is difficult. A security expert at Johns Hopkins University pointed out that VPNs have deep access to a phone’s internet connection, making it hard to verify whether they truly follow privacy policies.
3 Soldiers From Taiwan’s Presidential Security Convicted in Explosive Espionage Case Linked to China
After being contacted for comment, Apple removed Thunder VPN and Snap VPN from its store. However, other Qihoo-linked VPNs, including Turbo VPN, remain available. Google has taken a different approach, introducing a “verified” badge for VPNs that meet certain security requirements. Surprisingly, Turbo VPN, one of the flagged apps, received this verification.
Apple defended its policies, stating that it removes apps that break its rules. However, it also clarified that it does not restrict app ownership based on a company’s nationality. Google echoed similar sentiments, saying it complies with all sanctions and trade laws and takes action when necessary.
Despite these reassurances, millions of users continue to download these VPNs, unaware of their hidden ties. A recruitment listing from the Guangzhou-based subsidiary even stated that their apps serve over 10 million daily users across 220 countries.
With increasing concerns about digital privacy and national security, this revelation puts Apple and Google under pressure to better scrutinize the apps they allow on their platforms. For now, users who rely on VPNs for privacy should be cautious about which apps they trust.
