IT NEWS

In a security advisory, Meta has disclosed a vulnerability that allowed an attacker to run arbitrary code on a user’s system that existed in all WhatsApp versions before 2.2450.6.

WhatsApp offers a desktop application for Windows and macOS, which users can synchronize with their mobile devices. Desktop versions of WhatsApp are generally used as extensions of mobile apps rather than primary platforms. So, while wide usage of these apps exists, their adoption rate lies likely significantly lower when compared to mobile platforms.

WhatsApp has over 3.14 billion monthly active users as of January 2025, with 73% using Android and 22% using iOS. Using WhatsApp on your desktop offers some advantages that users might appreciate. My excuse is that I can type faster on my laptop and I can make better screenshots of my conversations.

If you use WhatsApp for Windows, you should update as soon as you can.

How to update WhatsApp for Windows

You can find the current version of your WhatsApp for Windows by clicking on the Settings (gear symbol) > Help.

If your version number is lower than 2.2450.6, install a new version by following these steps:

1. Click the Start menu and search for Microsoft Store to open it.
2. In the Microsoft Store, click on Library located at the bottom left corner.
3. Scroll through the list or use the search bar to find WhatsApp Desktop.
4. Click on Get Updates or look for an Update button next to WhatsApp Desktop. If an update is available, it will appear here.
5. Click the Update button to download and install the latest version of WhatsApp Desktop.
6. Once the update is complete, restart the application to ensure all changes are applied.

My WhatsApp was already up to date because I have automatic updates turned on. This is how Microsoft Store on Windows can automatically install app updates.

1. Select Start, then search for and select Microsoft Store.
2. In the Microsoft Store app, select Profile (your account picture) > Settings.
3. Make sure App updates is turned On.

The vulnerability

The vulnerability tracked as CVE-2025-30401 is described by Meta as:

“A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.”

In other words, it was possible for a sender to disguise the true nature of their attachment by changing the file extension to something harmless, like a jpeg, when in reality it was a malicious file that would be opened with the program the receiver had set as default for such a file.

In the past we’ve seen this used against users that have Python installed on their systems. People were sent a python or php script as an attachment which would get executed without any warning if the receiver opened them.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Bad vibes are big news in privacy right now, with the public feeling isolated in securing their sensitive information from companies, governments, AI models, and scammers.

That’s the latest from Malwarebytes research conducted this month, which revealed that the vast majority of people are concerned about wrongful data access from nearly every corner of their lives. For example, 89% of people “agreed” or “strongly agreed” that they are “concerned about my personal data being used inappropriately by corporations,” and another 72% agreed or strongly agreed that they are “concerned about my personal data being accessed and used inappropriately by the government.”

The anxieties are easy to trace.

In just the first three months of 2025, the UK government asked Apple for access to encrypted cloud storage for users across the globe, the US government exposed active Social Security Numbers in releasing files related to the assassination of former President John F. Kennedy, and the announced bankruptcy of genetic testing company 23andMe prompted many customers to delete their data.

Against this backdrop, many users are taking privacy into their own hands. More than 40% of people have stopped using either TikTok, Instagram, or X (formerly Twitter), and 26% stopped using a fertility or period tracking app. A robust 75% said they “opt out of data collection, as possible,” and 23% have gone a step further, using a data removal service to help clean up any personal information that is easily found online.

These findings come from a pulse survey that Malwarebytes conducted of its newsletter readers in March via the Alchemer Survey Platform.

Broadly, Malwarebytes found that:

• 89% of people are “concerned about my data being used by AI tools without my consent.”
• 70% of people “feel resigned that my personal data is already out there, and I can’t get it back.”
• 77% of people said that “many online transactions today, from purchases to downloads to creating new accounts, feel like ploys to take my data.”
• While 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” 60% feel that “we will never have simple, meaningful ways to protect our data.”
• To protect their personal information and that of their family, at least 40% of people have stopped using Instagram, TikTok, and X (formerly Twitter).
• 26% of people stopped using a fertility app or period tracking app.

Institutional distrust

The public believe that the biggest threats to their privacy right now are AI models, companies, governments, and, well, pretty much every single interaction they have with the internet at large.

Aside from the 89% of people concerned about their data being “accessed and used inappropriately by the government,” another 50% said they were concerned about wrongful government access of their “private conversations.”

Elsewhere, an astounding 89% of people said that they are “concerned about my data being used by AI tools without my consent.” It is unclear exactly where these fears lie. People may be concerned that AI tools are scraping public websites for their information—like the facial recognition company ClearView AI does by scouring articles, mugshot websites, and publicly listed social media profiles—or they may fear that tools like ChatGPT and Google’s Gemini are recording “conversations” or questions for future use.

Exacerbating these concerns is, likely, the current murkiness around AI technology and what it requires to function. The New York Times is currently suing OpenAI for allegations that its large language model wrongfully ingested the outlet’s copyrighted articles as training data, human contractors that helped train the AI recognition systems for Roomba vacuums mistakenly leaked sensitive photos on Facebook, and a national mental health support chatline siphoned off some of its users’ conversations to train an AI-powered customer support chatbot in an effort to boost funding.

But it isn’t just AI that the public distrust, it’s also the many ways they’re forced to engage with the internet, overall, as 77% agreed or strongly agreed that “many online transactions today, from purchases to downloads to creating new accounts, feel like ploys to take my data.”

They may have a point. Downloading a mobile game can reveal your location data to countless ad companies, searching for airline tickets on a Mac device can force you into paying higher prices, and buying a car can subject your sex life—seriously—to data collection. And these are the largely legal consequences of everyday life! Real-deal cybercriminal campaigns like “malvertising,” that abuse Google search results to direct victims to malicious websites, only make matters worse.

Amidst this landscape, the public broadly agreed that they wanted privacy protections that, unfortunately, they feel no one is going to grant them.

A full 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” while 70% also believe “we will never have simple, meaningful ways to protect our data.”

So, in the absence of legal or corporate protections, the public are taking matters into their own hands.

Individual action

The dire privacy concerns shared by many respondents have, for the most part, not resulted in privacy nihilism. In fact, a heartening 60% of respondents did not agree that they have “become less vigilant about my data privacy and security because there is little I can do these days.”

Instead, as Malwarebytes found, many people have started disengaging from major online platforms and adding privacy-conscious tools and habits to their daily regimen.

For instance, to protect their and their family’s personal information, 47% of people said they “stopped using TikTok,” 45% said they “stopped using X” (formerly Twitter), 44% said they “stopped using Instagram,” and 37% said they “stopped using Facebook.” Another 26% said they “stopped using a fertility/period tracking app.”

Elsewhere, 69% of people said they “use an ad blocker for online browsing,” and 75% of people “opt out of data collection, as possible.” Another 42% said they use a VPN, which can provide an extra level of comfort by encrypting all web traffic when connecting to public or unknown Wi-Fi networks.

Malwarebytes also found that 69% of respondents said they use “multifactor authentication,” or MFA. MFA is one of the strongest security protections against account takeovers and hacking, requiring that login attempts aren’t approved with just a username and password, but with a separate piece of information, like a one-time passcode that is texted to a user’s device. Though understood as a cybersecurity best practice, MFA also strengthens a user’s privacy. After all, thieves don’t hack into accounts just for fun—they hack into accounts to sometimes steal any sensitive information stored within.

Finally, a smaller percentage of people said they use identity theft protection solutions (43%) and personal data removal services (23%). These are critical tools for catching and stopping identity theft, and for making it harder for scammers to find and target victims.

Malwarebytes understand that privacy isn’t “easy” right now—it never necessarily has been—but that doesn’t mean it’s time to give up. Thankfully, many people responded that, despite their serious concerns, they aren’t about to take corporate and government privacy invasions willingly. That’s the type of attitude that the public needs more than ever, and we’re grateful to see it.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The pressure of the looming tax filing deadline (April 15th in the US) can make anyone rush online tasks. Cybercriminals are acutely aware of this increased activity and are exploiting trusted platforms like Google to target Intuit QuickBooks users.

By purchasing prominent Google Ads, they are creating highly convincing fake login pages designed to pilfer sensitive information, including usernames, passwords, and even one-time passcodes (OTPs) – the keys to someone’s financial data needed for tax compliance.

Understanding this deceptive tactic is the first step in protecting yourself from falling victim.

Brand impersonation: from Google ad to phishing page

Accounting and tax preparation software has traditionally been a common lure for scammers, particularly those related to online support operating out of large call centres in India and surrounding areas.

Late last year, we documented a fraudulent QuickBooks installer that was laced with malware and generated a fake pop up to trick users into calling for assistance.

This time, the attack is even more dangerous as it goes after victims’ login credentials for QuickBooks. It starts from a Google search, showing an ad that impersonates Intuit’s branding for “QuickBooks Online”.

This leads to a fraudulent website that is essentially a lookalike.

Domain Name: QUICCKBOORKS-ACCCOUNTING .COM
Registrar URL: https://www.hostinger.com
Creation Date: 2025-04-07T01:44:46Z

Unbeknownst to victims, the sign-in page is actually a phishing portal that will steal account credentials in real-time and leak them to the criminals behind this scheme.

One-time passcode workaround

Passwords alone offer a limited level of security because they can be easily guessed, stolen through phishing, or compromised in data breaches. It is highly recommended to enhance account protection by enabling a second form of authentication like one-time passcodes sent to your device or utilizing a 2FA app for an extra layer of verification.

Phishing kits have evolved to become increasingly sophisticated, with some now capable of circumventing one-time passcodes and 2FA. These kits often employ “man-in-the-middle” or “adversary-in-the-middle” (AiTM) techniques.

When a victim enters their credentials and the one-time passcode on a fake login page created by the phishing kit, this information is intercepted in real-time and relayed to the attacker. The attacker can then use these stolen credentials and the valid one-time passcode to log in to the victim’s account before the passcode expires.

Conclusion

Cybercriminals often intensify their efforts to target accounting software like QuickBooks during or around tax season, hoping to capitalize on the increased volume of financial transactions and the time-sensitive nature of tax preparations.

Deceptive Google ads can be designed to closely resemble legitimate QuickBooks search results, leading unsuspecting users to fake login pages that harvest their credentials, financial data, or even install malware.

OTP and 2FA still significantly increase security against a vast majority of attacks, especially automated attempts and less sophisticated phishing, making them essential layers of protection when used on authentic platforms.

However, even with the added security of one-time passcodes and 2FA, these measures are rendered ineffective if the initial login occurs through a malicious website reached via a deceptive ad.

Therefore, it is critical to access your QuickBooks account and conduct all sensitive activities directly through the official Intuit QuickBooks website or application, carefully verifying the URL.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Malicious QuickBooks domains

quicckboocks-accounting[.]com
quicckbooks-accounting[.]com
quicckrbooks-acccounting[.]com
quicfkbooks-accounting[.]com
quichkbooks-accounting[.]com
quicjkbooks-accounting[.]com
quickboorks-acccounting[.]com
quickboorks-accountings[.]com
quicnkbooks-accounting[.]com
quicrkbookrs-accounting[.]com
quicrkbooks-acccounting[.]com
quicrkbooks-accountting[.]com
quicrkboorks-accounnting[.]com
quicrkboorks-accounting[.]com
quicrkbrooks-online[.]com
quicrkrbooks-accounting[.]com
quictkbooks-accounting[.]com
quicvkbooks-accounting[.]com
quicxkbooks-accounting[.]com
quirckbooks-accounting[.]com

Cwmbran in Wales, a town with a population of just under 50,000, holds the Guinness World Record for the most roundabouts—at least according to Google AI Overviews.

Except that’s not actually true…

Ben Black has been publishing lighthearted fake stories on April Fools’ Day for his community news site Cwmbran Life since 2018. The April Fools include the erection of a Hollywood-style sign on a mountain, and the creation of a nudist cold-water swimming club at a lake.   

In 2020, Black published a fake story saying Cwmbran had been recognized by Guinness World Records for having the highest number of roundabouts per square kilometer.  

He fabricated a random number of roundabouts, added a quote from a fictitious resident, and clearly stated that the “news” was an April Fool’s Day joke several hours later. 

So it came as quite a surprise when Black discovered that Google AI Overviews picked up this story as real news recently.  

The thing about April Fools’ Day is that it is treated very differently to every other day online. Normal news outlets publish deliberately fake news stories and we, as people with knowledge of April Fools Day, can use that to assess if something is true. Google AI obviously didn’t get that memo.

As Black said:

“It’s not a dangerous story, but it shows how fake news can easily spread even if it’s from a trusted news source.” 

Google AI Overviews has been under scrutiny since testing last year after generating false information, including advising people on the minimum required pebbles to eat in a day or using gasoline to cook spaghetti faster.

Black decided not to publish an April Fools’ prank this year due to his busy schedule and his recent experience with Google, which has made him hesitant about future pranks. 

We feel similar about online pranks coming from us, a cybersecurity company that you can trust, so we opted out of April Fools’ Day this year too.

Google has patched 62 vulnerabilities in Android, including two actively exploited zero-days in its April 2025 Android Security Bulletin.

When we say “zero-day” we mean an exploitable software vulnerability for which there was no patch at the time of the vulnerability being exploited or published. The term reflects the amount of time that a vulnerable organization has to protect against the threat by patching—zero days.

The April updates are available for Android 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-04-05 or later then you can consider the issues as fixed. The difference with patch level 2025-04-01 is that the higher level provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

Technical details

The zero-days are both located in the kernel:

CVE-2024-53150: an out-of-bounds flaw in the USB sub-component of the Linux Kernel that could result in information disclosure. Local attackers can exploit this flaw to access sensitive information on vulnerable devices without user interaction.

The out of bounds vulnerability was caused by the USB-audio driver code which failed to check the length of each descriptor before passing it on.  There are currently no details on how CVE-2024-53150 has been exploited in real-world attacks, by whom, and who may have been targeted in those attacks.

CVE-2024-53197: a privilege escalation flaw in the USB audio sub-component of the Linux Kernel. Again, no user interaction is required.

This vulnerability is the missing link to CVE-2024-50302 and CVE-2024-53104 which put together were reportedly exploited in Serbia by law enforcement using Cellebrite forensic tools to unlock a student activist’s device and attempt spyware installation.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

This week on the Lock and Code podcast…

It has probably happened to you before.

You and a friend are talking—not texting, not DMing, not FaceTiming—but talking, physically face-to-face, about, say, an upcoming vacation, a new music festival, or a job offer you just got.

And then, that same week, you start noticing some eerily specific ads. There’s the Instagram ad about carry-on luggage, the TikTok ad about earplugs, and the countless ads you encounter simply scrolling through the internet about laptop bags.

And so you think, “Is my phone listening to me?”

This question has been around for years and, today, it’s far from a conspiracy theory. Modern smartphones can and do listen to users for voice searches, smart assistant integration, and, obviously, phone calls. It’s not too outlandish to believe, then, that the microphones on smartphones could be used to listen to other conversations without users knowing about it.

Recent news stories don’t help, either.

In January, Apple agreed to pay $95 million to settle a lawsuit alleging that the company had eavesdropped on users’ conversations through its smart assistant Siri, and that it shared the recorded conversations with marketers for ad targeting. The lead plaintiff in the case specifically claimed that she and her daughter were recorded without their consent, which resulted in them receiving multiple ads for Air Jordans.

In agreeing to pay the settlement, though, Apple denied any wrongdoing, with a spokesperson telling the BBC:

“Siri data has never been used to build marketing profiles and it has never been sold to anyone for any purpose.”

But statements like this have done little to ease public anxiety. Tech companies have been caught in multiple lies in the past, privacy invasions happen thousands of times a day, and ad targeting feels extreme entirely because it is.

Where, then, does the truth lie?

Today, on the Lock and Code podcast with David Ruiz, we speak with Electronic Frontier Foundation Staff Technologist Lena Cohen about the most mind-boggling forms of corporate surveillance—including an experimental ad-tracking technology that emitted ultrasonic sound waves—specific audience segments that marketing companies make when targeting people with ads, and, of course, whether our phones are really listening to us.

“Companies are collecting so much information about us and in such covert ways that it really feels like they’re listening to us.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Back in August 2024, we warned about a relatively new type of SMS phishing (or smishing) scam that was doing the rounds.

Now a new wave of toll fee scams are working their way round the US. These attempts come as an unexpected text message linking to a website pretending to belong to one of the US toll authorities, like E-ZPass, The Toll Roads, SunPass, or TxTag.

The texts usually create a sense of urgency—a common tactic of scammers, by telling you there is only a limited time left to act or there will be dire consequences.

The phishing sites are typically out to steal personal information and/or payment details. Reportedly, some users get up to 7 such messages in a day.

Many state departments are issuing warnings. For example, the Wisconsin Department of Transportation (WisDOT) Division of Motor Vehicles (DMV) recently warned consumers of reported phishing attempts via text, and the Arizona Department of Transportation even published a reminder that the state highway system doesn’t have toll roads, because of these scams.

A typical text message might look like this:

“Your toll payment for E-ZPass Lane must be settled by {a date in the very near future}. To avoid fines and the suspension of your driving privileges, kindly pay by the due date.

Pay here: {malicious link}

(Please reply with “Y”, then exit the text message. Open it again, click the link, or copy it into your browser and open it.)”

 The malicious links are often fabricated to look legitimate by including an existing domain name before the actual domain name. E.g. e-zpass.com- roadioe[.]cc.

How to avoid falling for toll fee scams

• Check the phone number that the text message comes from. Some of the scams we saw were easy to dismiss because they came from telephone numbers outside the US.
• Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
• If you decided to pay, make sure you receive confirmation of payment. Official toll agencies will send confirmation after collecting payments. If you don’t receive that, call the toll service to check.
• Never interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
• If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
• The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

Indicators of Compromise (IoCs)

Domains involved in toll fee scams:

com-roadioe[.]cc

uoshxkdhkz[.]top

com-zgoupbb[.]top

forfeitzm[.]top

sunpass-verification[.]top

com-tollbilljhy[.]top

com-etc-bbzj[.]vip

com-tollbilltid[.]vip

com-tollbilltwd[.]vip

paytollrbzx[.]vip

com-ticketvb[.]xin

com-emzwepr[.]xin

com-ustolls[.]xin

com-tollbilaz[.]xin

etc-tollad[.]xin

roadetctre[.]xin

Did you know that Malwarebytes for mobile scans your texts for scams and blocks known malicious sites?

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Last week on Malwarebytes Labs:

• Why we’re no longer doing April Fools’ Day
• Intimate images from kink and LGBTQ+ dating apps left exposed online
• “Urgent reminder” tax scam wants to phish your Microsoft credentials
• “Nudify” deepfakes stored unprotected online
• Location, name, and photos of random kids shown to parents in child tracker mix up
• QR codes sent in attachments are the new favorite for phishers
• Popular VPNs are routing traffic via Chinese companies, including one with link to military
• Flaw in Verizon call record requests put millions of Americans at risk

Last week on ThreatDown:

• Fake Booking.com emails target hotels

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Security researcher Evan Connelly discovered an enormous flaw affecting one of the largest telecommunications companies in the world that could allow any single person to view the recent incoming call log for potentially any Verizon phone number.

“In short, anyone could lookup data for anyone,” Connelly said.

A vulnerability in the Verizon Call Filter iOS app allowed anyone to request the call logs of millions of US Verizon customers. The Verizon Call Filter app for iOS allows customers to view a log of their recent calls. This log will show them the phone numbers and an associated timestamp.

To request such a log the app sends a request to a server to fetch the data belonging to the phone number in question.  The network request to the server contains various details such as your phone number and the requested time period for call records. The server then responds with a list of calls and timestamps.

But, as it turns out, there were no checks to make sure that the number the information was requested about and the number that sent the request matched.

So, the researcher was able to craft requests for any given phone number and get the call logs for that number, without the ownership of that number. The consequence: anyone could look up data for any Verizon Wireless customer.

The researcher did not check whether every Verizon Wireless customer was affected by this flaw.

“The issue I discovered impacted at least those who have the Verizon Call Filter service enabled (I did not test a number which had it disabled; I can’t rule out whether or not all Verizon numbers could have been impacted).”

But it looks as if the Verizon Call Filter is enabled by default, so at least a great many Verizon Wireless customers would be impacted.

This is not just a privacy concern. For some people this could be a security hazard. For people in a domestic abuse situation, public figures, or those of interest to resourceful cyberattackers, a history of calls and frequent callers falling in the wrong hands can put people at physical risk or even compromise national security.

An attacker with access to someone’s call history could figure out their daily habits, see who they talk to most often, and guess their personal relationships. There is no available information whether this flaw was ever actively abused.

Thankfully, Verizon took the issue seriously and fixed it promptly.

Timeline:

• 2/22/2025 – Issue discovered and reported to Verizon
• 2/24/2025 – Acknowledgment from Verizon of the report
• 3/23/2025 – Researcher requested an update as the issue appeared fixed
• 3/25/2025 – Confirmation from Verizon that the issue is resolved

Verizon call filter

The Verizon Call Filter is a useful tool against robocalls, since it’s a screening and filtering tool that helps you manage nuisance calls. Verizon uses a Know Your Customer (KYC) scoring system to identify spam call networks and block their calls before they reach your phone. Based on your settings, blocked calls will either go to voicemail or stopped altogether.

If you no longer want to use Call Filter, it’s easy to turn it off. Here’s how:

On iPhone:

1. Open the Call Filter app.
2. Go to Settings.
3. Tap Manage Plan and select Turn Off Call Filter.

Alternatively, you can disable it from your iPhone’s settings by going to Settings > Phone > Call Blocking & Identification and toggling off the Call Filter option.

On Android:

1. Open the Call Filter app (it might already be installed on your device).
2. Tap Account, then Manage Plan.
3. Follow the steps to disable Call Filter.

As an alternative you can use Malwarebytes Mobile Security for iOS or Malwarebytes Mobile Security for Android to block scam calls.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Up to one in five of the most popular mobile VPNs for iOS last year are owned by Chinese companies that do their best to hide the fact. In at least one case, the owner is on a US blacklist.

That’s according to a report from the non-profit Tech Transparency Project (TTP), who investigated the top 100 mobile VPN apps downloaded from Apple’s App Store as documented by mobile intelligence company AppMagic.

Mobile VPNs are apps that connect your smartphone to the internet via different computers around the world. People use them to make it look as though they’re connecting from elsewhere, often to dodge local censorship or to access commercial content not available in their region, or just because they’re concerned about privacy.

The downside is that you must be able to trust the company that operates those computers. After all, they get to see all of your traffic as it passes through those channels.

The TTP warns that a large proportion of the most popular mobile VPN apps in the Apple App Store are owned by Chinese companies. These include Qihoo 360, which is classified as a Chinese military company by the US Department of Defense.

Several mobile VPNs linked to Chinese military

According to the TTP report, Qihoo acquired an app development company called Guangzhou Quanyong. The company developed several mobile apps for Innovative Connecting Pte. Ltd, a Singapore-registered company owned by another company called Lemon Seed, registered in the Cayman Islands.

Innovative Connecting developed an app called Turbo VPN, which was marketed to Spanish-speaking people in the US as a way to circumvent proposed restrictions when accessing Chinese-owned social network TikTok. The company developed several other VPNs in the top 100, including VPN Proxy Master and Thunder VPN. It is also responsible for others that didn’t make it into the top 100: Snap VPN, and Signal Secure VPN.

Chinese company 360 Security Technology, also known as Qihoo 360, purchased Lemon Seed, according to its 2019 annual report.

Not only is Qihoo 360 classified as a Chinese military company in the US, in June 2025 the US government also placed Qihoo 360 on its Entity List, which is a list of companies maintained under the US government’s Export Administration Regulations (EAR).

The Entity List identifies entities that the US believes pose a risk to its national security. It added Qihoo 360 and others to the list citing “reasonable cause to believe that these entities pose a significant risk of becoming involved in activities — the procurement of commodities and technologies for military end-use in China—that are contrary to the national security interests of the United States.”

Three months later, Qihoo 360 sold a package of assets under the banner ‘Project L’, which the TTP investigation believes contained Lemon Seed based on the description of its acquisition date in the public filing.

In spite of the sale, TTP suggests an ongoing link between the two companies after the sale, based on March 2025 filings that list its sole director as Chen Ningyi, who shows up on a Qihoo 360 patent in 2017 and who appears to be a general manager for Qihoo’s mobile security app 360 Mobile Guard.

Shell companies and proxy ownership

Apps developed by Innovative Connecting aren’t the only with possible links to China, according to the report. It traced several back to companies in Hong Kong. The island city has come under increasingly strict Chinese control lately with the passage a year ago of Article 23, a bill applying strict penalties for a broad array of activities deemed anti-Chinese.

The report found several VPN apps registered to Hong Kong companies, often owned by people or entities on the mainland. These included X-VPN, VPNIFY, VPN Bucks, LinkWorldVPN, VPN Proxy OvpnSpider, and Best VPN Proxy AppVPN.

It also found some registered in other parts of the world that appeared to be Chinese products operating through proxies. One, WireVPN – Fast VPN & Proxy, was registered in the UK but is controlled by a single Chinese national via a shell company. It shares a privacy policy with another similarly-named product registered in Belize called Wirevpn – Secure & Fast VPN. Both use language lifted directly from Chinese privacy regulations.

While VPNs are a useful way to achieve some privacy online, this report highlights the importance of due diligence when choosing a technology provider. Not all VPNs are created equal – and just because they’re in Apple’s App Store doesn’t mean that they’re automatically above board.

How to find a VPN you can trust

Consider the jurisdiction:

• As evidenced by the TTP report, the VPN provider’s location matters. Be wary of VPNs based in countries that require intelligence-sharing with their governments

Look for these security features:

• Strong encryption protocols (like 256-bit ChaCha20) are vital.
• A “kill switch” is important; it disconnects your internet connection if the VPN drops, preventing data leaks.
• Look for VPNs that support secure protocols like WireGuard

Read the privacy policy:

• A “no-log” policy is essential. This means the VPN provider should not track, store, or share your browsing history, IP address, or any of your network data
• Carefully read the privacy policy to understand what data is collected and how it’s used.

Consider Malwarebytes Privacy VPN:

Of course we’d say that. But with a 256-bit ChaCha20 encryption, lightning-fast Wireguard protocols, and a strict no-log policy, you can be sure that Malwarebytes Privacy VPN will never track, store, or share any network data.