Security researchers warn against using shady VPN Android apps

Kyle Wiggers
vpn android apps header image

Maksim Kabakou / 123RF

If you’ve ever needed to conduct business over the internet somewhat privately on your phone, a virtual private network — or VPN, for short — is an excellent way to go about it. It’s basically an encrypted third-party middleman that sits between you and the wider internet, protecting your data from prying eyes.

And its practically foolproof — even if a hacker were to penetrate the “tunnel,” so to speak, they would struggle to read the data within. But to use a virtual private network, you need an app, and not all apps are as secure as the virtual private network itself.

Security researchers at CSIRO’s Data 61, the University of New South Wales, and UC Berkeley studied 283 VPN apps for Android available from the Google Play Store. A whopping 38 percent of the apps on the Google Play Store that were tested contained some form of malware, adware, trojan, or spyware, while 67 percent featured at least one third-party tracking library. As many as 82 percent requested permissions to access sensitive user data, including text messages and call logs.

The researchers categorized the “worst offenders” — apps with an excessive amount of malware — in a top-ten chart.

More: The 10 best Android VPN apps for privacy and security

And to make matters worse, many fell short of delivering the anonymity they promised. Around 18 percent of the VPN apps didn’t encrypt traffic, and 16 percent routed traffic through other users of the same app rather than a dedicated server. And as many as 66 percent leaked traffic, which the researchers noted could “ease online tracking activities” performed by unscrupulous Wi-Fi hot spot administrators and “surveillance agencies.”

Worryingly, more than 25 percent of the apps received at least a 4-star rating. “According to the number of installs of these apps, millions of users appear to trust VPN apps despite their potential maliciousness. In fact, the high presence of malware activity in VPN apps that our analysis has revealed is worrisome given the ability that these apps already have to inspect and analyze all user’s traffic with the VPN permission,” the researchers wrote.

More: Everything you wanted to know about VPN, but didn’t want to ask

Ultimately, the survey’s authors recommend “looking before you leap,” in a sense — in other words, researching the VPN apps you’re considering and ensuring they act and behave as advertised. Be especially wary of free apps, they say. Stick to well-known companies that are transparent about their practices. And if an app requests access to sensitive information during the installation process for no good reason, it’s probably best to get rid of it.