Several virtual private network (VPN) browsing apps available on Apple and Google’s app stores supposedly have ties to a Chinese cybersecurity company blacklisted by the US government.
A report from the Tech Transparency Project (TTP), cited by the Financial Times on Tuesday, reveals that at least five free virtual private networks (VPNs) operating on US app stores are linked to Qihoo 360, a Shanghai-listed cybersecurity firm.
Qihoo was sanctioned by the US in 2020 over alleged ties to the Chinese military, and the Department of Defense later designated it as a military-affiliated company. TTP warned that “millions of Americans are inadvertently sending their internet traffic to Chinese companies,” owing to their findings that 20 of the top 100 most downloaded apps on the Apple Store are Chinese-owned.
Apps tied to sanctioned Qihoo
As of last Friday, the five VPN apps, Turbo VPN, VPN Proxy Master, Thunder VPN, Snap VPN, and Signal Secure VPN, were available on Apple and Google’s US stores.
VPNs provide users with encrypted connections to the Internet, allowing them to bypass geographical restrictions and firewalls. Because all online activity passes through the VPN service, these apps have significant access to user data.
China’s national security laws require companies and individuals to cooperate with state intelligence investigations and provide data when requested. This concerns the American government, which may have reasons to believe the Chinese accessed user information from these apps.
According to estimates from analytics firm Sensor Tower, three of the five apps have been downloaded more than one million times across Apple’s App Store and Google’s Play Store in 2025.
Why Qihoo was sanctioned
The VPN apps are reportedly operated by Singapore-based Innovative Connecting Pte, which Lemon Seed Technology, a Cayman Islands-based entity, owns. In January 2020, Qihoo purchased Lemon Seed along with two other companies for $69.9 million.
Four months later, in May 2020, the US placed Qihoo on its trade blacklist, restricting its access to American technology. By September, Qihoo informed investors that it was reevaluating its overseas strategy and had sold “Project L,” a reference to Lemon Seed, for $70.1 million. The company did not disclose the buyer.
In Guangzhou, China, a Qihoo subsidiary continued to hire coders to work on the VPN apps. In 2019, this subsidiary was formed under the name Qihoo. In 2021, it changed its name to Guangzhou Lianchuang Technology.
The Financial Times looked at business records and found that it was finally sold for one Chinese yuan to a new company in Beijing in 2023.
The majority owner of this Beijing firm, Chen Ningyi, was linked to Qihoo. A person by the same name previously headed Qihoo’s phone security department and is listed as the sole director of Lemon Seed.
Guangzhou Lianchuang’s recent job listings state that its apps operate in over 220 countries and have 10 million daily users. One open position listed responsibilities such as “monitoring and analyzing platform data,” with a preference for candidates “well-versed in American culture.”
Apple and Google have policies to prevent data breaches
Both Apple and Google have policies that say VPN apps can’t get information about users without their permission or give that information to other people. In response to the new claims of a data breach, Apple said it follows all applicable laws and will punish apps that break its strict VPN rules.
The company also said that its app store rules don’t limit who can own an app based on their nationality.
Per Matthew Green, a cryptography specialist at Johns Hopkins University, VPNs tend to ignore some compliance laws because they have deep access to user data.
“VPNs are a big exception to Apple’s phone privacy efforts because they attach themselves to the root network connection of your phone,” Green explained. “It’s not a very binding promise and not something that is very easy to enforce.”
Google, meanwhile, said it remains committed to compliance with trade and sanctions laws. “When we locate accounts that may violate these laws, our related policies, or terms of service, we take appropriate action.”
