A new paper shows many free VPNs in Google Play store put your privacy at risk

In world wide Data Privacy Day it’s important to remember that free VPNs are far from safe. A new paper (PDF) by researchers from Australia’s Commonwealth Scientific and Industrial Research Organization, University of New South Wales, The Institute of Company Secretaries of India and University of California, Berkeley shows that a vast majority of free VPNs for Android, many very popular and high rated, put their users’ security at risk. The study shows that alarmingly

  • 75% of the apps tested use third-party tracking libraries.
  • 82% unnecessarily request permissions to access sensitive data such as user accounts and text messages.
  • 38% contain some form of malware (adware 43%, trojan 29%, malvertising 17%, riskware 6% and spyware 5%).
  • 18% do not encrypt anything
  • 18% provide no information on who is hosting the VPN servers
  • 16% forward traffic through other users’ network bandwidth (making the user basically one node in their VPN network).
  • 84% expose user’s real IP address via IPv6 DNS leaks.
  • 16% deploy non-transparent proxies that modify user’s HTTP traffic. This includes injecting JavaScript code for advertising and tracking purposes.
  • 4 of the analyzed apps perform TLS interception. Although three of these claim this is in order to perform traffic acceleration, this allows them to selectively intercept data sent to secure HTTPS Such as banks, email services, e-commerce sites, and online tax return websites.

Many people are using these apps to secure their movements online but all these free VPN apps are doing is putting them into even bigger risk online than without a VPN.

Intrusive Android VPN Apps

If you’re using any of these, you should stop immediately!

“Millions of users appear to trust VPN apps despite their potential maliciousness,” the study noted. Yet “VPN apps like HideMyAss and VPNSecure which claim to provide security and anonymity are not effective against surveillance and malicious agents.”

The study says one of the worst offenders people are using is HotSpot Shield by AnchorFree, a VPN which is very often recommended as the best free VPN in many review sites and VPN discussion. It was found that Hotspot Shield actively injected JavaScript into web pages, and redirected e-commerce traffic to AnchorFree’s partner sites. HotSpot Shield is currently installed in over 10 million Android devices. Article on Yahoo! adds that proper VPN services like F-Secure’s Freedome block ads and third-party trackers, adding another degree of privacy, unlike HotSpot Shield.

How to stay safe?”

The best way to stay safe is to stop using any free VPNs. Free VPNs are using the user to make money, which means these services don’t value your online privacy or data security at all. It is best to stick with the best VPNs available that really can be trusted and are trusted by millions of users all over the world. These reputable VPN services can be obtained for less than $5 per month.

Read more in our article “Are Free VPNs worth it?”