Updated
Updated · The Hacker News · Jul 10
Study Flags 281 Free Android VPN Apps After 2.4 Billion Installs, Including 5 Open to Hijacking
Updated
Updated · The Hacker News · Jul 10

Study Flags 281 Free Android VPN Apps After 2.4 Billion Installs, Including 5 Open to Hijacking

3 articles · Updated · The Hacker News · Jul 10

Summary

  • 281 popular free Android VPN apps failed core privacy and security checks, and apps with at least one flaw have been installed more than 2.4 billion times.
  • 29 apps leaked traffic outside the VPN tunnel, including 24 that exposed DNS lookups and 6 that leaked full browsing traffic; 5 fetched configuration files without encryption, letting attackers redirect connections to rogue servers.
  • 246 apps contacted known advertising or tracking servers, 76 sent Android Advertising IDs, and one transmitted exact GPS coordinates despite marketing themselves as privacy tools.
  • 108 bundled OpenVPN configurations showed weak setup practices: only 1 met every measured best practice, about 89% used single-factor authentication, and nearly 1 in 5 relied on outdated ciphers.
  • MVPNalyzer, presented at NDSS 2026, is the first framework built to repeatedly audit Android VPN apps; the researchers say Play Store safety labels and VPN verification badges have acted more like marketing than security guarantees.

Insights

With billions of VPN installs leaking data, are 'privacy' apps now the biggest threat to your actual privacy?
Google's 'Verified' badge is on insecure VPNs. Is the Play Store's safety system just a marketing gimmick?
Commercial VPNs are failing. Is building your own the only way to guarantee your mobile privacy in 2026?

Billions Exposed: New Research Reveals Widespread Privacy Failures in Free Android VPNs

Overview

A recent academic study has revealed serious security and privacy flaws in free Android VPN apps, putting billions of users at risk. The research confirms that many of these apps, even those available in official app stores or with verification badges, do not provide the strong protections users expect. This challenges the belief that app store approval means an app is safe. To address these issues, researchers introduced MVPNalyzer, a new tool for automatically checking VPN app security. The findings highlight the urgent need for better oversight and show that poorly maintained free VPNs can expose sensitive user data.

...