Android Security Risk: Popular Free VPN Apps Put Users At Risk, Researchers Find

Virtual private networks (VPNs) are designed to keep users safe while browsing online. According to a recent study by security researchers, a group of popular Android VPNs may actually be putting their users more at risk.

The information comes from a collective of researchers at the Commonwealth Scientific and Industrial Research Organization’s Data 61, University of New South Wales and University of California, Berkeley. The group combed through hundreds of VPNs available to download from the Google Play Store, and found a shocking number of vulnerabilities.

Of the 283 apps the researchers investigated, they found 38 percent of the VPNs contained some form of malware, 75 percent utilized at least one third-party tracking library and 82 percent required access to sensitive Android permissions including user accounts and text messages.

Using online scanning service VirusTotal, the researchers ran scans to determine which apps contained the most malicious material. It found OkVPN, a rather obscure app with about 1,000 downloads, to be riddled with malware.

It wasn’t just relatively unknown apps that were guilty of containing viruses and other problematic content; Butternet has more than five million downloads and was flagged by 13 separate anti-virus tools as containing malware. One Click VPN, which has more than one million installs, was flagged by six anti-virus systems.

Perhaps worse than the built-in viruses and invasive adware that come installed with some of the apps in question is the fact that some of the VPNs didn’t even provide their promised function.

Nearly one-in-five of the tested VPNs—18 percent of them—don’t use encryption to protect user traffic, according to the findings. Another 16 percent don’t have dedicated online servers to route user traffic and instead opt to move the traffic through other users of the same app, meaning the activity of one user may end up associated with another without their knowledge.

The researchers warned, “This forwarding model raises a number of trust, security, and privacy concerns for participating users.”

The practice of routing user traffic through other users got Hola VPN in trouble in 2015. The service, which at the time had 46 million users, came under fire from security researchers for failing disclose its traffic routing method. Hola now admits the behavior, rather than ending the practice.

While the problems with many of the VPNs should be cause for concern, most users trust the services they are using—even when they shouldn’t. The researchers found 37 percent of the VPNs analyzed had more than 500,000 installs and one in four had over a four-star rating, signifying many users are completely unaware of the vulnerabilities they are being exposed to.