Home Risk & Resilience Study Of 281 Free Android VPN Apps Reveals Traffic Leaks, Unencrypted Connections, And Extensive User Tracking

Study Of 281 Free Android VPN Apps Reveals Traffic Leaks, Unencrypted Connections, And Extensive User Tracking

0
Study Of 281 Free Android VPN Apps Reveals Traffic Leaks, Unencrypted Connections, And Extensive User Tracking

A new cybersecurity study has uncovered significant privacy and security shortcomings in hundreds of free Android virtual private network applications available on Google Play Store, raising concerns about the reliability of services that millions of users rely on to protect their online activity. Researchers evaluated 281 of the most popular free VPN applications using a newly developed testing framework called MVPNalyzer and found that many of these applications fail to provide basic protections expected from a VPN service. According to the study, applications identified with at least one security or privacy issue have collectively been installed more than 2.4 billion times, highlighting the scale of potential exposure.

The research was presented at the Network and Distributed System Security Symposium in February 2026 by experts from University of Michigan, University of New Mexico, and IIT Delhi. The MVPNalyzer framework was developed as a mobile counterpart to the team’s earlier VPNalyzer project focused on desktop VPN software and is described as the first system specifically designed to repeatedly and systematically audit Android VPN applications. Researchers discovered that 29 applications allowed user traffic to leak outside encrypted tunnels, including DNS requests that can reveal the websites a user visits. Another 61 applications transmitted certain information in plain text that could be intercepted by anyone monitoring the same network. The most serious finding involved five applications that downloaded their configuration files without encryption. Since these files determine which servers the applications connect to, attackers on the same network could potentially modify the files and redirect users to servers under their control. The researchers successfully demonstrated this attack scenario and said only two of the affected providers acknowledged the issue and promised to adopt secure HTTPS protections.

The study also highlighted broader concerns surrounding privacy and transparency. Of the 29 applications with leakage issues, 24 exposed DNS traffic while six leaked complete browsing traffic outside the encrypted tunnel. Researchers also identified four applications operating without any encryption despite marketing themselves as VPN services. Another 169 applications made no attempt to disguise their traffic patterns, making it easy for network operators or government censors to identify and block VPN usage with basic tools. Ironically, many of these applications claimed to bypass internet restrictions and unlock blocked content. User tracking was also widespread. Researchers found that 76 applications transmitted the device’s advertising identifier, which advertisers use to track user activity across applications and services. More than 80 percent of the tested applications contacted known advertising and tracking servers and transmitted information such as device models, operating system versions, and screen sizes that can be combined to create unique device fingerprints. One application was even found sending precise GPS location data.

A separate review of OpenVPN configuration files from 108 applications revealed additional weaknesses. Only one application complied with all of the security best practices measured during the study. Approximately 89 percent relied on a single authentication method instead of using multiple layers of protection, while nearly one in five applications used outdated or weak encryption technologies, including Blowfish and Triple DES. Some applications even disabled encryption entirely. Researchers said these problems stem largely from poor maintenance and insufficient review processes that allow such applications to remain highly visible on Google Play Store. The study also pointed to previous research that uncovered hidden relationships between VPN providers, extensive data collection practices, and outdated software libraries vulnerable to known exploits. The researchers advised users to choose providers that undergo independent security audits, be cautious of free applications heavily dependent on advertising, and avoid assuming that labels such as “verified” or “no logs” automatically guarantee privacy and security. The team plans to release MVPNalyzer publicly to enable app stores and regulators to conduct similar assessments and improve oversight of VPN applications available to consumers.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.