Delete Every App That’s On This List—Your Phone Will Be Tracked

Security Alert: Delete These Popular Tracking Apps Now

A devastating new report from cybersecurity researchers has exposed a hidden surveillance network operating through some of the world’s most popular mobile applications. With over 700 million combined downloads, these apps have been secretly collecting user data while masquerading as privacy-protecting services. The findings reveal a sophisticated operation that threatens millions of smartphone users worldwide, particularly those seeking to protect their online privacy.

The Shocking Discovery: VPNs That Spy Instead of Protect

The groundbreaking investigation by Citizen Lab and Arizona State University has uncovered what researchers call “secret families” of VPN applications that share hidden ownership structures and dangerous security vulnerabilities. These aren’t ordinary privacy concerns—they represent a systematic breach of user trust involving apps that explicitly promise to protect your data while doing the exact opposite.

The most alarming aspect of this discovery involves the connection to Chinese surveillance networks. Multiple VPN providers with seemingly different names are actually controlled by a single entity with documented ties to Qihoo 360, a Chinese cybersecurity firm sanctioned by the US government for its links to China’s People’s Liberation Army.

Under Chinese national security laws, companies operating in China can be compelled to share user data with government authorities without user knowledge or consent. This creates an unprecedented risk for users who believe their internet activity is protected, when in reality, it’s being funneled directly to foreign surveillance networks.

Mobile app security risk levels by category

How These Apps Exploit Your Trust

The deceptive practices uncovered by researchers go far beyond simple data collection. These applications employ sophisticated techniques to mask their true nature while harvesting sensitive personal information:

Location Tracking Despite Privacy Claims: Even when VPN apps don’t request location permissions, they secretly collect user zip codes through third-party services and upload this data to external servers. This occurs despite privacy policies explicitly stating they don’t collect user addresses.

Screenshot Surveillance: One particularly dangerous app, FreeVPN.One, was discovered taking automatic screenshots of users’ browsers seconds after any page loads, transmitting these images along with URLs, tab IDs, and unique user identifiers without any notification or user consent.

Hard-coded Security Vulnerabilities: Multiple apps share the same hard-coded Shadowsocks passwords embedded directly in their programming code. This fundamental security flaw allows anyone who discovers these passwords to decrypt the traffic of all users across multiple applications.

The scale of this surveillance operation is staggering. Research indicates that 53% of paid Android VPN apps leak user data, with many utilizing third-party DNS servers that can monitor all user activity. This represents a complete failure of the basic security promises these applications make to users.

The Chinese Connection: National Security Implications

The investigation has revealed direct links between popular VPN applications and Chinese state-controlled entities. Qihoo 360, the company at the center of this network, was sanctioned by the US Commerce Department in 2020 for its connections to China’s military apparatus.

Apps connected to this network include some of the most popular VPN services available:

  • Turbo VPN (over 100 million downloads)
  • Snap VPN (significant market presence)
  • VPN Proxy Master (widely distributed)
  • Signal Secure VPN (available on both platforms)

These applications use complex corporate structures involving shell companies registered in Singapore, the Cayman Islands, and other jurisdictions to obscure their Chinese ownership. Corporate filings reveal that despite claims of independence, many of these entities maintain directors with documented connections to Qihoo 360’s mobile security division.

The Tech Transparency Project warns that millions of Americans have unknowingly downloaded applications that route their internet traffic through Chinese-controlled servers, potentially exposing sensitive personal and professional information to foreign surveillance.

Apps You Must Delete Immediately

Based on the comprehensive research conducted by Citizen Lab, ASU, and various cybersecurity organizations, the following applications pose immediate security risks and should be removed from your device:

High-Risk VPN Applications:

High-Risk VPN Applications:
  • Turbo VPN
  • VPN Proxy Master
  • Snap VPN
  • Signal Secure VPN
  • Thunder VPN
  • VPNify
  • Ostrich VPN
  • Now VPN
  • X-VPN
  • SuperVPN
  • GeckoVPN
  • ChatVPN
  • FreeVPN.One

Additional Concerning Apps:

  • Hola VPN (peer-to-peer network vulnerabilities)
  • Various apps from developers: Innovative Connecting, Autumn Breeze, Lemon Clove

The research identified three distinct families of VPN providers operating under this deceptive structure. The first family, including Innovative Connecting, Autumn Breeze, and Lemon Clove, has been directly linked to Chinese military entities and maintains over 700 million combined downloads.

The Technical Reality: How Your Data Is Compromised

The security vulnerabilities discovered in these applications represent fundamental failures in basic cybersecurity practices. Researchers found that many apps use outdated Shadowsocks encryption with passwords permanently embedded in the application code.

This creates what cybersecurity experts call a “master key” vulnerability—anyone who obtains these hard-coded passwords can decrypt all user traffic across all devices using these applications. The passwords are identical across different apps within the same family, confirming the shared infrastructure and common ownership.

DNS Leakage and Tracking: Despite promises of anonymity, 23% of tested VPN applications leak DNS requests, revealing users’ actual browsing activities to third parties. Many apps also utilize external DNS servers operated by companies that can monitor and log all user queries.

Metadata Exposure: While VPN traffic may appear encrypted, the metadata—including connection times, data volumes, and communication patterns—remains visible to operators and can be used to build detailed profiles of user behavior.

Corporate Profit From Privacy Violations

Both Apple and Google continue to profit from these privacy-violating applications through their standard revenue-sharing models. Apple and Google typically retain 30% of all in-app purchases, while also potentially earning from advertising revenue shared with developers.

Despite repeated warnings from cybersecurity researchers and government agencies, both companies have been slow to remove problematic applications. While some apps have been quietly removed following media inquiries, many others remain available for download.

The financial incentives for maintaining these apps are substantial. Apps like X-VPN have generated over $10 million in lifetime US revenue across both platforms, with significant portions of this revenue flowing to Apple and Google through their commission structures.

Protecting Yourself: Essential Security Measures

Given the widespread nature of this surveillance network, users must take immediate action to protect their privacy and security:

Immediate Actions:

  1. Review all VPN applications currently installed on your devices
  2. Delete any apps appearing on the identified risk lists
  3. Enable Play Protect on Android devices and never disable it to install flagged applications
  4. Audit app permissions regularly, particularly for location, camera, and microphone access

Long-term Protection Strategies:

  • Only use paid VPN services from well-established companies with transparent ownership structures
  • Research VPN providers thoroughly before installation, avoiding any with Chinese ownership or unclear corporate structures
  • Monitor app permissions continuously, revoking access for any applications requesting unnecessary data
  • Use reputable security software that can detect and warn about potentially dangerous applications

Enterprise and Business Users:
Organizations must implement comprehensive Mobile Application Risk Management (MARM) programs that include regular audits of employee devices and strict policies regarding VPN usage. The exposure of sensitive corporate data through compromised VPN applications represents a significant threat to business security and intellectual property.

The Broader Implications for Digital Privacy

This surveillance network represents a fundamental challenge to digital privacy in the modern era. The apps specifically target users seeking enhanced privacy protection, turning their desire for security into a vulnerability that can be exploited by foreign adversaries.

National Security Concerns: Security experts warn that this level of data collection could enable sophisticated intelligence operations against American citizens, government employees, and business leaders. The ability to monitor real-time location data, browsing habits, and communication patterns provides unprecedented insights into sensitive activities.

Regulatory Response: The revelations have prompted calls for stronger oversight of mobile applications, particularly those handling sensitive user data. The Federal Trade Commission has already taken enforcement action against some data brokers involved in similar privacy violations.

Industry Accountability: The continued availability of these applications despite clear evidence of security risks raises serious questions about the effectiveness of current app store review processes. Both Apple and Google have faced criticism for their failure to adequately screen applications before making them available to users.

The scale and sophistication of this surveillance operation demonstrates that smartphone users can no longer assume that popular applications—even those specifically designed to enhance privacy—are trustworthy. The most effective protection requires vigilant scrutiny of all installed applications and a thorough understanding of the privacy risks inherent in mobile device usage.

For users serious about protecting their privacy, the message is clear: delete these applications immediately, research any replacement services thoroughly, and maintain constant vigilance about the applications you trust with your most sensitive data. Your digital privacy and personal security depend on it.

About the Author

Anish is the founder of TechBoltX, sharing mobile gaming rewards, guides, and daily updates.