2025-mixon-baca-hidden
findings extracted from this paper
-
Beyond business-filing cross-references, the paper introduces a method of linking VPN provider families by showing they share VPN server cryptographic credentials (Shadowsocks passwords, server TLS fingerprints) across distinct app identities. This extends prior ownership-attribution methods that relied solely on corporate registry data and code similarity, adding shared live infrastructure as a linkage signal that is harder for operators to obscure.
-
Three families of VPN apps with combined Google Play download counts exceeding 700 million share not only common ownership but hardcoded cryptographic credentials, including Shadowsocks passwords embedded in their APKs. An attacker who extracts these hardcoded passwords can passively decrypt all traffic of users of these apps. Business filing and APK analysis linked the families to the same operators; one previously-identified family (Innovative Connecting / Autumn Breeze / Lemon Clove) had already been linked to the People's Liberation Army.