ExpressVPN application spying on you!

I use expressVPN on my mac. I also use little snitch.

​

Even when not running the application, it tries to connect to the internet - ad serving!

​

Beware!

​

I pay for the service, and it’s (trying) to spy on me.

​

Here are some log entries from little snitch…

​

-----------------

​

action: deny

direction: outgoing

priority: regular

process: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

owner: me

destination: d15wdfb2rw9n2y.cloudfront.net

port: any

protocol: any

notes: On Apr 16, 2019, expressvpnd tried to establish a connection to d15wdfb2rw9n2y.cloudfront.net. The request was denied via connection alert.

action: deny

direction: outgoing

priority: regular

process: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

owner: me

destination: d21wlyhffxxqkt.cloudfront.net

port: any

protocol: any

notes: On Apr 16, 2019, expressvpnd tried to establish a connection to d21wlyhffxxqkt.cloudfront.net. The request was denied via connection alert.

action: deny

direction: outgoing

priority: regular

process: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

owner: me

destination: d2335eacoaawg9.cloudfront.net

port: any

protocol: any

notes: On Apr 16, 2019, expressvpnd tried to establish a connection to d2335eacoaawg9.cloudfront.net. The request was den

action: deny

direction: outgoing

priority: regular

process: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

owner: me

destination: d28n7yywqog3r7.cloudfront.net

port: any

protocol: any

notes: On Apr 16, 2019, expressvpnd tried to establish a connection to d28n7yywqog3r7.cloudfront.net. The request was denied via connection alert.

action: deny

direction: outgoing

priority: regular

process: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

owner: me

destination: d3ra9679oeq3gx.cloudfront.net

port: any

protocol: any

notes: On Apr 16, 2019, expressvpnd tried to establish a connection to d3ra9679oeq3gx.cloudfront.net. The request was denied via connection alert.

action: deny

direction: outgoing

priority: regular

process: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

owner: me

destination: domain bangkokbank.com

port: any

protocol: any

notes: On Apr 16, 2019, expressvpnd tried to establish a connection to www.bangkokbank.com. The request was denied via connectrection: outgoing

priority: regular

process: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

owner: me

destination: domain holidayiq.com

port: any

protocol: any

notes: On Apr 16, 2019, expressvpnd tried to establish a connection to www.holidayiq.com. The request was denied via connection alert.

action: deny

direction: outgoing

priority: regular

process: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

owner: me

destination: domain lysuovey.net

port: any

protocol: any

notes: On Apr 16, 2019, expressvpnd tried to establish a connection to www.lysuovey.net. The request was denied via connection alert.

action: deny

direction: outgoing

priority: regular

process: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

owner: me

destination: domain scorecardresearch.com

port: any

protocol: any

notes: On Apr 16, 2019, expressvpnd tried to establish a connection to b.scorecardresearch.com. The request was denied via connection alert.

No it’s not spying on you. Here’s what’s happening:

-The app tries to call home to an ExpressVPN API to discover the set of available VPN infrastructure.

-Your firewall is rejecting those requests, and as a result the app fails to call home via its standard method. This is quite similar to what happens when customers use the apps in countries with censorship. ISPs there also block the app’s attempts to call home, thus trying to prevent customers from using ExpressVPN.

-The app has features to let it handle such situations.

-You can see those features in action as the app is trying other domains, testing just how much your firewall is blocking.

We’ve previously published some more info in our troubleshooting section under “Why do ExpressVPN apps occasionally contact domains I don’t recognize?”

In general, this relates to censorship-avoidance. A user on a network without censorship (or a firewall acting as such) shouldn’t see these features in action. In your case here, the app is behaving as expected given the trouble the firewall is subjecting it to, and it’s definitely not spying on you. We put a lot of effort into making sure we’re consistently following our privacy policy.

Can we get a comment from the company on this

Hi, I noticed the same thing and find it really concerning. What is the need to have this process running in the background *while the actual app itself* is not even running and I am not connected to your VPN at all? If the process is manually killed it instantly respawns. Spying or no spying, I don’t understand why this needs to be running pinging hosts like survey monkey and paypal when I am not using your app or service. Before I came across this thread I asked chat support about this and Mikey said the process was not related to the app and that it was malware (I reminded him it resides in your app’s bundle and literally has expressvpn in the process name) and eventually disconnected.

​

For what it’s worth, I am in the US and have a wide open internet connection with no firewall and nothing blocked, and there are dozens of suspicious hostnames similar to what the OP shared that mine is connecting with. scorecardresearch and lysuovey…? Even if it isn’t sending my data to those sites, why would you pick these hosts of all hosts to establish censorship conditions? So many unanswered questions.

​

Please just make it possible to kill this nasty process if I am not connected to your VPN if I consent to longer startup times when I do want to eventually connect.

Similar thread, been doing this for awhile I guess.

​

https://www.reddit.com/r/Express_VPN/comments/9oe90q/expressvpncom_spyware_spy_on_you_be_aware/

Bastards. That’s why you should never use the clients from vpn, but configure it with openvpn

It doesn’t make sense, why would a paid service show ads? I don’t recall seeing ads in any ExpressVPN app on my Mac, even with all connections enabled.

run this into your terminal that will remove the related files, then reboot or kill the process from activity monitor.

​

/Applications/ExpressVPN.app/Contents/Resources/uninstall.tool

Thank you for your response.

Hi, thanks for your detailed explanation here. May I ask, why carry on with the heartbeat-type pinging when the app/service is completely closed and the user isn’t expecting data coming off this application? Can I turn off all ExpressVPN traffic when I’m not using the app (MacOS)? Cheers

We assume you are referring to the ExpressVPN app for Windows. It has a process called xvpnd.exe running as a Windows service. The responsibilities of that service are to:

1. Control the various methods of connecting to the VPN (ie: OpenVPN and the protocols built into the operating system)
2. Manage the firewall and the operating system’s DNS settings to ensure that traffic does not leak outside of the VPN tunnel.
3. Interface with the ExpressVPN APIs for authenticating the user and discovering VPN infrastructure.
4. As discussed on this thread: assess the level of censorship that the user is exposed to.

There are several reasons why that process exists, is launched on boot, and gets restarted when killed. They include:

1. To have the killswitch take effect and protect users from leaks as early as possible upon boot.
2. To reduce launch times of the ExpressVPN UI app
3. To minimize the security attack surface. Code that controls VPN and firewalls often needs to run as admin. Therefore the ExpressVPN app is split into two parts: one that actually needs to run as admin, and then a separate UI app that doesn’t need such privilege.
4. To raise the chances of being able to recover from crashes.

We understand your desire as an advanced user to be able to control when this process runs. For now, launching the service at boot is a design choice we made to get the benefits listed above. We’ve added to our product backlog a feature to let the user control this as you described, and accept the downsides that come along with that. For now, if you’re uncomfortable with that service running, you can consider using a manually configured VPN connection using your operating system’s built-in functionality. See more info for how to do that on our VPN setup guides.

Lastly, it sounds like you’re seeing the censorship-resilience feature in action on a network without censorship (or a firewall having a similar effect). That would be a bug in that feature. It should only activate itself when really needed. We’re investigating and looking for signs of such bugs. We’d appreciate your help in tracking it down. Would you mind shooting us an email referencing this thread with steps on how you reproduced this issue?

It’s a silly way to do a health check, that’s for sure. Why don’t they just ping their own servers, for example?

I’m too lazy to packet sniff to see if it’s just pinging these servers.

The best solution is to install ‘manually’ with openvpn, then uninstall the application, and connect with OpenVPN.

Then find another VPN provider that doesn’t breed suspicion…

Sound advice. I had already did that, and only connect with openvpn. However, I didn’t remove the ExpressVPN application.

I found it very curious that it was trying to contact those sites, even without a VPN connection via the app itself.

As I mentioned below, they seem to want me to think it is a ‘health check’.

They are saying it is a ‘health check’. Laughable.

When you install the app, it installs a daemon that always runs. The daemon is trying to contact the sites - even when not connected to the VPN. Kinda makes using a VPN useless.

I already had configured my desktop to use openvpn (as aawsms recommended above), but left the application installed.

I wonder what information they are sending to PayPal.com, for example?

september 22 2022
same here and still happening

Worked well, thanks.

Lots of unanswered questions still. Why is there no way to kill this process if I am not even using the app?

https://www.reddit.com/r/Express_VPN/comments/bdvrfn/expressvpn_application_spying_on_you/elc3lts?utm_source=share&utm_medium=web2x

Thanks for your reply on here. Seems like you have a deeper level of knowledge than the regular support team, as each chat had no idea what this process was. I’m actually referring to expressvpnd on macOS, I have never used the windows client. Does your explanation still apply to the Mac environment as well?

It’s located here: /Applications/ExpressVPN.app/Contents/MacOS/expressvpnd

​

And yes, would love to help further troubleshoot the censorship resilience operations on my open network. Given my past experience with support this weekend stating that the background process has nothing to do with you service and then advising to just kill it (even though it immediately respawns) is it possible to have a different point of contact who is familiar with this process, (such as yourself, maybe)? Just in the last day over 76 unique hosts have been contacted, all without even opening the ExpressVPN app once.

​

Lastly, in the interest of full transparency, can you provide a list of hosts this process is designed to contact when it detects censorship concerns? At initial glance the domains seem very peculiar for this purpose.

​

Thanks again for your assistance on here!

I just happened into this rabbit hole while installing something like little snitch. Wow.
4 years later, we don’t have the feature to stop making outbound connections.

Flip side: using seemingly advertising urls is a great way to remain under the radar in Iran, China, or whatever hell-hole you may find yourself in. But DNS is easily spoofed so the connections you think you are attempting may get hijacked. Who knows how safe your protocol is for keep alive. We don’t need this.

OpenVPN client: OK but does not support lightway, and that is a truly good innovation that for me has made the difference between a high bandwidth internet connection that can “keep up” and one that can not. You can’t use that protocol in openvpn it is a an advantage and one they worked hard to create.

PLEASE. There is no need to keep this thing contacting everything. Please implement this now or we have no choice but to delete the clients.

application.

I found it very curious that it was trying to contact those sites, even without a VPN connection via the app itself.

As I mentioned below, they seem to want me to think it is a ‘health check’.

Sounds like a healthy amount of data transmitting all over the world!