Skip to main content
Cybersecurity

Free Android VPN Apps Expose User Traffic, Fail Basic Security Tests

Smartphone on a neutral surface with Google Play Store open, surrounded by app icons and a blurred cityscape or home office…

The apps flagged with at least one problem have been installed more than 2.4 billion times, according to a new systematic audit of free Android VPN software.

MVPNalyzer, the study, and where it was shown

Researchers from the University of Michigan, the University of New Mexico, and IIT Delhi presented a new testing framework called MVPNalyzer at the NDSS security conference in February 2026. MVPNalyzer evaluated 281 of the most popular free VPN apps on the Google Play Store and is described by its authors as the first framework built to systematically and repeatedly audit Android VPN apps. The team says it will publish MVPNalyzer publicly so app stores and regulators can run the checks themselves.

Tunnel hijacking: the single most serious flaw

The study identified five apps that download their VPN configuration files in plaintext. Those files instruct the app which server to connect to; if an attacker on the same network rewrites the file in transit, the app can be pointed to a hostile server while still showing the user a normal “connected” screen. The researchers built and confirmed this attack on phones under their control. The issue was flagged to all five providers; two responded. One provider said it would send the configuration files "securely using HTTPS with proper certificate validation." Three providers had not acknowledged the report as of publication.

DNS and traffic leaks: scale and user exposure

Many of the failures are basic rather than exotic. Of the 281 apps tested, 29 allowed user traffic to leak outside the encrypted tunnel. Of those 29, 24 leaked DNS traffic — exposing which websites users consult to the local network — and those 24 apps account for roughly 360 million installs. Six apps leaked full browsing traffic outside the tunnel, and four ran “tunnels” with no encryption at all. In total, the apps flagged with at least one problem have been installed more than 2.4 billion times.

Separately, 169 apps made no attempt to disguise their VPN traffic, which means a network operator or government censor can identify and block the connections with basic tools. Nearly two-thirds of that subset nevertheless advertise that they defeat blocking or unlock restricted content — a promise the apps do not technically keep.

Tracking, telemetry, and device fingerprinting

Privacy promises and tracking practices collided across the sample. Seventy-six apps sent the device’s Advertising ID, the persistent identifier that advertisers use to follow a device across apps. In all, 246 apps — more than 80% of the tested set — contacted known advertising and tracking servers. Many apps also transmitted device details such as phone model, OS version, and screen size; combined, those data points create a fingerprint that can single out a device. One app even sent exact GPS coordinates.

Weak cryptography, OpenVPN configurations, and maintenance problems

The researchers inspected bundled OpenVPN configuration files drawn from 108 apps. Only one app followed every security best practice the study measured. About 89% relied on a single authentication method (either a password or a certificate) rather than using both. Nearly one in five used weak or outdated encryption ciphers, including Blowfish and triple DES; a few configuration files set the tunnel data cipher to none. The study cites the long-known weaknesses associated with those ciphers (CVE-2016-6329 and CVE-2016-2183). The authors attribute many issues to poor maintenance and to the Play Store’s automated checks, which allowed poorly maintained apps — some ranking highly in search results — to remain available while presenting Google’s safety labels and a "Verified" badge that the study says function more like marketing signals than security guarantees.

What this means for end users, security teams, and regulators

  • End users: The most serious problems—cleartext config fetches and weak tunnel settings—are invisible to users. The researchers recommend favoring providers that publish recent independent security audits, treating "verified" or "no-logs" claims as a starting point, and being wary of free apps that rely on heavy advertising. The study’s appendix lists every flagged app so users can check whether a specific app appears there.
  • Enterprise and security teams: Relying on consumer-grade free VPNs exposes traffic to detectable leaks, weak ciphers, and telemetry that undermines anonymity. The research implies enterprises and procurement teams should require independent audits and vet configuration-handling practices rather than trusting store badges.
  • Regulators and app stores: The authors plan to make MVPNalyzer available so app stores and regulators can run automated, repeatable checks. The Hacker News has asked Google whether it is reviewing or removing the flagged apps and how it responds to the finding that Play Store safety labels and the "Verified" badge are more marketing than security guarantees; the story will be updated with any response.

This audit joins earlier work pointing to the same pattern. In August 2025, researchers at the University of Toronto’s Citizen Lab and Arizona State University found several popular Android VPN apps with more than 700 million combined downloads were secretly linked, shared hard-coded passwords, and collected location data. In October 2025, mobile security firm Zimperium reported that three of roughly 800 free VPN apps still bundled a version of OpenSSL vulnerable to Heartbleed and that many asked for permissions beyond what a VPN needs. Together, the studies show repeated gaps between privacy marketing and engineering practice — and a need for automated, repeatable review.

Link to original story: https://thehackernews.com/2026/07/study-of-281-free-android-vpn-apps.html