A Collection of User Data Allegedly Sourced From Android VPNs Appeared for Sale
Last updated August 4, 2021
As reported by Top10VPN researcher Simon Migliano, Android’s most downloaded VPN apps feature several security flaws, requests for excessive permissions, and even DNS leaks. The researcher and his team tested the 150 most downloaded free VPN apps on Google Play Store, totaling over 260 million installations. Out of them, 25% was found to leak DNS data, essentially beating the primary purpose of using a VPN app in the first place.
As these apps are free, it is expected that they will have to use some alternative method to make a revenue. The trodden to achieve this is by advertising, but some go beyond what would be considered acceptable for their role, using geolocational data to serve users with more targeted ads, introducing risks in the privacy level. To render this functionality possible, several apps are asking for too many permissions, giving them great power over the device. More than half of the apps stored the last known location data of the device, while another 38% asks for access to personal information.
What is worrying is that many of the apps hide their shady practices under the hood, collecting location data without asking for the relevant permission, and even sending SMS without the user realizing. The researchers have also discovered that some of the VPN apps contain dormant code for more permissions such as camera and microphone recording, that could be potentially activated in a future update. All this goes against Google guidelines for Android app developers, and in the case of VPN apps, it is even more irrational.
Testing the app binaries on a set of 60 virus database scanning tools, yielded positive matches for 18%. This means that 27 out of the top 150 free VPN apps for Android are basically virus or malware. As for the critical issue of network performance and activity handling, the researchers used 103 apps to conducted the tests and found both major and minor issues. More specifically 14 VPN apps use DNS servers that are blacklisted, seven apps raised “man-in-the-middle” alarms, 22 apps were found to be very slow to be usable, two apps used completely transparent proxies, and another five apps did not cache information properly.
Out of everything tested, the only ones that didn’t ask for risky permissions passed the malware/virus tests, didn’t follow dangerous network practices, and didn’t leak any DNS data are the following:
Of course, we also have our very own list with the best Android VPNs that you can use right now, extensively tested and ranked by our editors.
Are you using an Android VPN on your device? Let us know what your experience is with it in the comments section below, and feel free to share your thoughts on our socials as well, on Twitter and Facebook.