Researchers find security holes in popular VPN apps for Android

Global IT security protection concept of connected devices.

Millions of people around the world are using virtual private networks (VPNs) to secure their online activity every day. In general, “tunneling” your way to the internet via a VPN is a great way to maintain the remaining shreds of your anonymity. That being said, researchers warn that not all VPN providers are created equal, and that some (especially free ones) are grossly abusing their users’ trust.

Flaws with free VPN 

In a world where new VPN apps are popping up what seems like every day, staying competitive is getting increasingly more difficult. As a result, we’re seeing more and more providers offer a “free” VPN service to lure new users.

It should go without saying, but VPN providers are businesses, and every business’ main objective is to make money. If we pause to think about this for a second, we’ll quickly realize that the math just doesn’t add up.

Running a VPN server (yet alone multiple) takes buckets upon buckets of cash – and if these buckets aren’t replenished via user subscription fees at the end of each month, it would appear that these companies are operating their entire business at a loss, right?

Obviously, that is not the case – the old adage “if you’re not paying for it; you’re the product” fits quite well here. While these providers won’t necessarily spy on you or sell your data to third parties, it’s dangerous to blindly assume that any “free” VPN service is trustworthy and secure…

Which brings us to this week’s news.

Study of VPN apps 

A recent study conducted by researchers at UC Berkeley, UNSW Sydney, UCSI, and Data61/CSIRO, revealed that a number of popular, and seemingly “trustworthy” VPN apps on the Google Play Store are riddled with security vulnerabilities, traffic redirects, and other shady practices.

A team of security researchers studied 283 VPN apps for Android and found that about 37% of them contained some form of malware, spyware, adware, or trojan.

Further shady-practice break down is as follows:

  • 18% do not encrypt traffic
  • 67% feature at least one third-party tracking library
  • 84% have dangerous data leaks
  • 80% ask users for access to sensitive data like text messages, phone logs, and user accounts
  • Some were found to be injecting JavaScript for ads and traffic redirection to third parties

Unfortunately, the list goes on.

Worst offenders 

Though the paper doesn’t go through with ranking each individual app in order from best to worst, the researchers compiled a list of the top 10 offenders, according to the VirusTotal ranking system.

List of VPN Apps with a VirusTotal AV-Rank greater than 5

As you can see, the most popular of these applications (Betternet) has about 5 million active installs, along with an average user rating of 4.3 stars. In fact, more than a quarter of the apps mentioned in the study average a 4/5 or higher, meaning that millions of users are putting their trust into these sketchy applications every single day.

To make matters worse, the researchers have found that the vast majority of the offenders did not disclose their shady practices. In fact, aside from Hola, nearly everyone else failed to mention the fact that they were forwarding user traffic to third parties, or injecting their own ads.

The paper also points out that the researchers have made an effort to get in touch with the developers, but most, unsurprisingly, did not respond.

What should you do?

While there are plenty of malicious providers floating around, there are also a few trustworthy ones. The authors of this study recommend doing your own due diligence and spending a bit of time researching every VPN provider that you’re considering, in order to ensure that their behaviour matches their claims. This step is especially crucial if you’re tempted to use a “free” service.

It’s also worth mentioning that while paid providers tend to be much more reliable, not all of them are perfect. Check out our thorough overview of the most trustworthy and transparent VPN providers for Android, if you’re not sure where to start your hunt for the best VPN.

To save you a click – we recommend going with one of: IPVanish, ExpressVPN, VyprVPN, or All of these providers have been around for quite some time, and are generally well regarded in the cyber security corners of the internet.


Author: Aleks Bahdanovich

When not writing about the latest tech, this Apple enthusiast enjoys building custom PC's, and designing a more aesthetic web. Using whatever free time is left, Aleks partakes in therapeutic kickboxing and action film-watching.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.

ExpressVPN deal