Apple and Google app stores found hosting VPNs tied to sanctioned Chinese firm

A recent investigation has uncovered that Apple and Google have been hosting multiple virtual private network (VPN) apps with direct links to a Chinese cybersecurity firm sanctioned by the U.S. government. These VPN apps, which have collectively amassed millions of downloads, are associated with Qihoo 360, a company accused of having ties to the Chinese military. Despite regulatory scrutiny, these apps remained available in U.S. app stores until last week, when Apple removed two of them following media inquiries.

VPNs are widely used for online privacy, encryption, and bypassing geographic restrictions. However, the effectiveness of a VPN in protecting user data is entirely dependent on the trustworthiness of its developers. A fake or compromised VPN can expose a user’s browsing activity to third parties, posing significant security risks.

A joint investigation by the Tech Transparency Project (TTP) and the Financial Times found that at least five free VPN apps available on both Apple’s App Store and Google Play Store are linked to Qihoo 360. The identified apps include Turbo VPN, VPN Proxy Master, Thunder VPN, Snap VPN, and Signal Secure VPN (unrelated to the Signal messaging app). Qihoo 360, formally known as 360 Security Technology, was sanctioned by the U.S. in 2020 for its alleged connections to the Chinese military. The U.S. Department of Defense subsequently classified it as a military-affiliated entity.

Experts have raised concerns that millions of American users are unwittingly transmitting their internet traffic through VPN services tied to Chinese companies, potentially exposing sensitive data. Under China’s national security laws, domestic companies must comply with intelligence agency requests, which could include access to user data. VPNs, operating at a deep network level, can monitor and analyze online activities, making it difficult to ensure compliance with privacy policies.

Despite Google and Apple’s policies prohibiting VPN apps from collecting user data without consent, enforcing these regulations remains a challenge. Cryptography expert Matthew Green from Johns Hopkins University cautioned that verifying VPN compliance is complex, stating, “It’s not a very binding promise, and not something that is very easy to enforce.”

The investigation uncovered a convoluted network of ownership behind these VPN apps. They are reportedly operated by Singapore-based Innovative Connecting Pte, which is owned by Lemon Seed Technology, a Cayman Islands-registered company. In early 2020, Qihoo 360 acquired Lemon Seed for nearly $70 million—shortly before being placed on the U.S. trade blacklist. Although Qihoo later claimed to have divested from the VPN business, records indicate that developers linked to the company continued working on these apps.

A key subsidiary, Guangzhou Lianchuang Technology, was established in December 2019 to employ VPN developers. While Qihoo officially sold the subsidiary in 2023 for a symbolic price of 1 yuan (RMB), the transaction raised questions about whether the company had truly relinquished control. The buyer, a newly formed Beijing-based entity, is majority-owned by Chen Ningyi, a former Qihoo executive who remains the sole director of Lemon Seed.

During an on-site visit by Financial Times reporters, Guangzhou Lianchuang employees acknowledged their connection to Qihoo 360 but described their relationship as “complicated.” Recruitment listings further indicate that the company’s VPN apps operate in over 220 countries and attract 10 million daily users. One job posting sought candidates “well-versed in American culture” for monitoring and analyzing platform data, raising additional concerns about potential data collection practices.

Following the publication of the investigation, Apple removed Thunder VPN and Snap VPN from its App Store. However, the status of Turbo VPN, VPN Proxy Master, and Signal Secure VPN remains uncertain. In response to the findings, Apple emphasized that it complies with all relevant regulations and takes action against apps violating its policies. However, the company noted that its rules do not restrict app ownership based on nationality.

Google has also reaffirmed its commitment to compliance with trade laws and security policies. Recently, it introduced a “verified” badge for VPN apps that meet additional security requirements. Notably, Turbo VPN—one of the apps linked to Qihoo—received this verification status, highlighting potential gaps in Google’s vetting process.