Your complimentary mobile VPN is a privacy nightmare. Who would have thought?
Free VPN apps for Android may be more harmful than you anticipated. A recent extensive audit of free Android VPN applications has revealed some alarming results that warrant skepticism. Researchers discovered that these apps are leaking traffic, passing on personal information to third parties, and essentially doing the opposite of what a VPN is intended to achieve.
The research was conducted by teams from the University of Michigan, the University of New Mexico, and IIT Delhi. The findings were shared at the Network and Distributed System Security Symposium 2026, along with MVPNalyzer, a framework designed for automated, large-scale audits of mobile VPN apps.
Some VPNs struggled to maintain basic functionality.
The researchers examined 281 functional, general-purpose VPN apps available for free on the Google Play Store. The sample was collected from searches related to VPNs in supported countries before the apps were tested on devices running Android 14. Services requiring an account or payment were omitted from the analysis.
Among these apps, 61 transmitted data without encryption. Five sent sensitive VPN configuration files in plain text, which could allow a network attacker to redirect users to a manipulated server. Additionally, 29 apps leaked browser or DNS traffic outside the encrypted tunnel, directly compromising one of the primary benefits of using a VPN.
Concerns about privacy were significant. Seventy-six apps sent device identifiers, such as Android’s Advertising ID, to third parties, enabling ongoing tracking and fingerprinting. Researchers were able to extract and analyze VPN configuration files from 108 apps, and 107 of them neglected or violated recommended encryption and security protocols.
The study does not suggest that all mobile VPNs are insecure. Its focus was on free Android apps that operated without accounts or in-app purchases, thus the findings shouldn’t be automatically applied to iPhones or well-established subscription services not included in this methodology.
The results underscore how little assurance a listing on the Play Store and a reassuring icon provide. The researchers cautioned that disclosures in app stores, including developer-submitted Data Safety information and Google’s VPN verification badge, may serve more as marketing tools than as reliable indicators of security. Therefore, it’s advisable to refrain from downloading the first free VPNs that show up in your app store searches.
Vikhyaat Vivek is a tech journalist and reviewer with seven years of experience covering consumer hardware, focusing on...
Samsung's Galaxy Z Flip 8 has recently shown off its official renders, revealing the familiar foldable design in three new colors. If you were hoping for a significant redesign, you might want to lower your expectations. If it’s not broken, Samsung won’t be fixing it.
Apple has begun testing a more affordable Chinese RAM supplier for some of its devices sold in China, a company that has been under scrutiny by Washington. The rumors surfaced shortly after Apple announced a price increase for most of its devices, except for the iPhone and Apple Watch.
Android 17's new video standard addresses one of HDR’s biggest challenges. Your HDR videos are set to look correct, no matter which screen you use. Android 17 features several new capabilities, but one minor addition, known as Eclipsa Video, could prove to be more impactful than it appears. Its primary objective is to ensure that your HDR videos display as intended, regardless of the device.
Other articles
Your complimentary mobile VPN is a privacy nightmare. Who would have thought?
Researchers evaluated 281 free Android VPN applications and discovered unencrypted data transfers, traffic leaks, and extensive tracking within tools that are meant to safeguard users’ privacy.
