Apple and Google Found to Host VPN Apps Linked to Chinese Military

• Apple and Google were found to host VPN apps linked to Qihoo 360, a Chinese company sanctioned by the U.S. for military ties.
• With millions of downloads, these VPNs could expose user data to China’s government due to national security laws.
• Some apps with Chinese connections are still accessible despite stringent VPN regulations, which raises questions about enforcement.

According to a recent investigation, a number of free VPN apps connected to a Chinese cybersecurity company that the United States has sanctioned were available on Apple's and Google's app stores. Millions of people have downloaded the apps, raising privacy and national security issues.

A report by the Tech Transparency Project (TTP) found that five VPN apps (Turbo VPN, VPN Proxy Master, Thunder VPN, Snap VPN, and Signal Secure VPN) were linked to Shanghai-listed Qihoo 360, a Chinese company sanctioned by the U.S. government in 2020 due to its alleged ties to the Chinese military.

According to the survey, one in five of the top 100 free VPNs in the App Store are owned by Chinese companies, which draws attention to a more significant problem. As a result, millions of Americans may be unknowingly transferring their internet traffic to Chinese corporations. According to the law, these apps must abide by China's national security regulations and provide data to state officials upon request.

Links to Qihoo 360 and Ownership Concerns

Qihoo 360, officially known as 360 Security Technology, was added to the U.S. Commerce Department’s Entity List in 2020, restricting its access to U.S. exports. A 2015 report from China Daily noted that Qihoo 360 had worked with the People’s Liberation Army (PLA) and multiple Chinese government ministries.

Although Qihoo claimed it sold its VPN business in 2020 after being sanctioned, records suggest otherwise. The Singapore-based Innovative Connecting, which operates the VPN apps, is owned by Lemon Seed Technology, registered in the Cayman Islands. In 2020, Qihoo paid $69.9 million for Lemon Seed and other entities. Later that year, it claimed to have sold "Project L," believed to be its VPN operations, for $70.1 million, but it did not disclose the buyer.

Despite this sale, a Guangzhou-based subsidiary of Qihoo continued to employ the developers running these VPN apps. In 2021, this subsidiary was renamed Guangzhou Lianchuang Technology and later sold in 2023 for RMB 1 ($0.14) to a newly formed Beijing company. Records show that Chen Ningyi, a former Qihoo executive, controls this Beijing company.

When the Financial Times visited Guangzhou Lianchuang’s office, developers confirmed they were still working on these foreign VPNs and acknowledged links to Qihoo 360. "You could say that we’re part of them and you could say we’re not," one programmer said.

Recruitment listings for Guangzhou Lianchuang mention that its apps operate in over 220 countries and serve 10 million users daily. Some job postings require candidates to be "well-versed in American culture" and responsible for “monitoring and analyzing platform data.”

Apple and Google’s Response

As of last week, the five VPNs connected to Qihoo 360 were still accessible on both Google's Play Store and Apple's App Store. However, Thunder VPN and Snap VPN were taken down when the Financial Times got in touch with Apple.

Apple and Google have policies prohibiting VPN apps from collecting or sharing user data without consent. Apple’s rules explicitly state that VPNs must not disclose data to third parties. However, experts point out that enforcing these policies is difficult.

"VPNs are a big exception to [Apple’s phone privacy efforts] because they attach themselves to the root network connection of your phone," said Matthew Green, a cryptography expert at Johns Hopkins University. "It’s not a very binding promise, and not something that is very easy to enforce."

Apple removed VPN apps from its Chinese App Store in 2017 after China imposed strict cybersecurity laws requiring VPN services to store user data on local servers. However, these Qihoo-linked VPNs were available outside China and targeted global users.

Apple stated that it complies with relevant laws and removes apps that violate its VPN policies. The company clarified that its App Store rules do not prohibit app ownership based on nationality or corporate ties.

Google recently introduced a “verified” badge for VPN apps that meet higher security standards. Turbo VPN, one of the Qihoo-linked apps, received this badge. Google said it remains committed to compliance with trade laws and will take action against apps that violate its policies.

Ongoing Concerns

Privacy advocates warn that VPN apps can access extensive user data, even including their browsing activity. Since Chinese companies must comply with state intelligence requests, VPNs with ties to China could pose a serious privacy risk.

"Campaign for Accountability" executive director Michelle Kuppersmith called the scenario a "national security nightmare" and urged Apple to make VPN software ownership more transparent. She contended that Apple's screening procedure might not be robust enough to protect its users from inadvertently downloading apps associated with Chinese companies.

Innovative Connecting denied the accuracy of the reports but declined further comment. Guangzhou Lianchuang, Qihoo 360, and Chen Ningyi also did not respond to requests for comment.

With growing concerns over foreign influence in tech, these revelations may pressure Apple and Google to tighten their app review processes and disclose more about VPN app ownership. However, for now, some of the VPNs tied to Qihoo 360 remain available for download.