Article
Connectivity

Comparitech: How Can Telcos Protect Against VPN Risks?

By Stella Nolan
August 22, 2025
undefined mins
Share this article
Prioritise Us on Google
Share this article
Prioritise Us on Google
Trojans or not Trojans? Comparitech has researched the possible dangers of free VPNs | Photo: ImageFX
Comparitech research has investigated possible connections been Chinese and Russia actors and free VPNs available on US app stores

In an era where digital privacy is paramount, Virtual Private Networks (VPNs) are an essential tool for consumers and industries. For telcos, VPNs are critical for safeguarding customer services and protecting key infrastructure. 

They help to protect sensitive data, enable secure operations, support better compliance and protect IoT and 5G networks, which are increasingly vulnerable to cyberattacks. In addition, companies are leveraging VPNs as part of their consumer and enterprise offerings, positioning them as key elements in building greater trust and transparency. 

However, as with any technology, adoption can be a double-edged sword.

For the telecommunications industry, the proliferation of VPNs represents a challenge as much as an opportunity, particularly as they can act as a potential vector for security risks if poorly configured or maintained. 

Recent research by Comparitech set out this security risk, highlighting connections between some of the most popular free VPN applications and malicious entities in China and Russia.

According to Comparitech, earlier this year Tech Transparency Project published a report illustrating that "over 20 of the top 100 free VPNs on US app stores showed signs of Chinese ownership without proper disclosure."

The alarm was first sounded by the Tech Transparency Project

A deeper dive: Comparitech's findings

Based on these findings, Comparitech analysed 24 popular VPN apps, 13 on Android and 11 on iOS, decompiling the app APKs and checking for network fingerprints to check if they have ties to China and Russia. 

It said that, while these ties don't strictly indicate ownership by Chinese or Russian entities, they raise red flags "that should make end users think twice about their privacy when using the apps". 

Comparitech found that a significant number of the applications were communicating with servers in these countries.

Specifically, it revealed that six of the VPN apps communicate with Chinese domains, while eight Android apps communicate with Russian IPs.

Comparitech states that communication with a Chinese or Russian domain is not in itself definitive proof of ownership.

The connections, the report clarifies, are often not part of the VPN tunnel itself but are related to telemetry, analytics, or Software Development Kit (SDK) communications.

Youtube Placeholder

Beyond the tunnels: SDKs and Data trails

The inclusion of third-party SDKs is a common practice in app development, but the origin of these SDKs is a critical factor in assessing the security of an application.

The investigation found that some of the analysed VPN apps, including the popular Turbo VPN and VPN Proxy Master, included Chinese or Russian SDKs, such as Baidu Analytics.

The geopolitical risk for users

Comparitech highlights: "China and Russia both force domestically-owned VPNs to register with the government and adhere to local laws, which may impact user privacy."

It adds that: "Authorities in Russia or China could coerce their domestic VPNs to spy on user data and activity, censor the web, or even spread malware."

Free VPN applications and entities in China and Russia are raising significant questions about user privacy and data security | Photo: ImageFX

App store scrutiny and the role of telcos

Comparitech says that it contacted Google, Apple, and each of the app developers for comment, with only Google and the developer of TurboVPN, Innovative Connecting, responding.

Innovative Connecting said: "Protecting user privacy is our highest priority. We strictly comply with our privacy policy and fully adhere to the developer policies and content guidelines of both Google Play and the Apple App Store. We do not record, monitor, or retain any user online activity at any time." 

For the telecommunications industry, the research provides insight into the challenges around protecting their own security and keeping customers safe.

As providers of the networks on which these apps operate and in some cases, as promoters of security solutions, telcos have a vested interest in ensuring their customers are not exposed to unnecessary risks.

Comparitech contacted Google, Apple, and each of the app developers for comment

A call for greater diligence

Comparitech ends its research with practical information about maintaining mobile and app security when using VPNs. 

This includes checking the app publisher and the VPN's website, as most will mention what country they're incorporated in - despite this being only part of the equation. 

Other notable steps include checking government databases and transparency records, which may contain reports or data about a specific VPN's country of origin. 

When it comes to telco operators, there is a clear need for strong due diligence, both in the security of products offered to customers and in educating users about the potential risks of free VPN services.

The promise of a secure and private internet is a cornerstone of the digital age and it is a promise that the industry must work to protect.

Company portals

Tags

VPNSecurityComparitechChinaRussiaTech Transparency ProjectiOSGoogle Play StoreSignal Secure VPN (Android)Turbo VPN (Android)VPN Proxy Master (Android)Snap VPN (Android)Now VPN (iOS)Ostrich VPN (iOS)QuarkVPNVPNifySignal Secure VPNTurbo VPNVPN Proxy MasterSnap VPNVPN FreeProxy MasterTelemetryAnalyticssoftware development kitBaidu Analyticsmetadataanalyticscensor contentspread malwareUKTelcoTelecommunications