Despite Google’s best efforts, including seemingly game-changing plans for Android 15, it seems the warnings just won’t go away. Less than a fortnight after an alarming report into the state of Play Store malware hit the headlines, here we are again. It’s not just malware this time, it’s broader. And with more than 2 billion installs across 100 popular apps, users need to start checking and deleting.
Let’s keep this stupidly simple. Do not use a free VPN—not now, not ever. For the few people not yet familiar with virtual private networks whose popularity continues to surge, these apps shield your IP address and browsing activity from your network, ISP or anyone who might be listening in. The apps securely tunnel from your device to a third-party server, and then out to the open internet from there.
In a world of protests and threats to dissidents, lawyers, campaigners and journalists, to say nothing of territories that have clamped down on certain apps and platforms, VPNs are a lifeline. While places like China and Iran block apps at will, VPNs are the reason users in those countries can still get through.
For a VPN to function effectively it needs a network of servers around the world, enabling users to either connect to one that’s local or one that can present a location mask, trading a real IP address for one in a different country. Live in the UK and connect to a US server, for example, and you can appear to the open internet to be 3,000 miles from home. It doesn’t always work when using apps on your phone, as anyone trying to subvert geographic broadcast restrictions might discover. There are other ways for an app on a device to check your location. There are ways around such blocks, but not for sharing.
Legitimate VPNs charge a fee or come bundled with other paid security products. And yet most VPNs remain free. And this is one of the great app ironies. The economic business model for a free app is to harvest your location, device and other data or to serve you ads. If you’re lucky. If you’re unlucky, the business model is to infect your phone with malware and steal login credentials or private information.
The new warning to the millions upon millions of Android users falsely believing they have secured their phones comes from Top10VPN, which has just tested the “100 most popular free Android VPN apps in the Google Play Store… with 2.5 billon worldwide installs between them,” its aim, it says is “to help you avoid using potentially unsafe free VPNs that compromise your privacy and security.”
Spoiler alert—pretty much every one of those VPNs is a privacy or security disaster, or both.
Just some of the issues the report sets out include:
- More than 10% of the apps “suffered encryption failures, ranging from total exposure of internet activity to leaking details of websites visited.”
- Almost 90% of the apps “suffered some kind of leak, including 17 VPNs leaking more than DNS request data,” while more than 50% “showed signs of VPN tunnel instability.”
- Almost 70% of the apps “requested at least one privacy-risking permission, such as location tracking (20%) and scanning for installed apps (46%).”
- More than 80% of the apps “contained software development kits (SDKs) from marketing or social media platforms. 16 VPNs contained 10 or more of these SDKs.”
- Almost one in three of the apps abused permission requests, seeking access to cameras or detailed location information, not required for core app functionality.
- Almost three-quarters of the apps “shared personal data with third parties such as Facebook, Yandex, and data brokers like Kochava, including device fingerprints (37 VPNs) IP addresses (23 VPNs), and unique tracking IDs (61 VPNs).”
- And most alarmingly, “almost one in five (19%) of VPN apps tested were flagged as malware by anti-virus scanners,” which is clearly the ultimate irony for a security app.
The sheer scale of the growth in VPN usage makes these flaws critical; as Top10VPN comments “the 100 most popular free Android VPNs had around 260 million total installs in 2018. Today, that number exceeds 2.5 billion.” A Forbes report suggests there are now 1.6 billion VPN users across the world. And so it’s little surprise that Google has singled out these apps for special treatment by way of an accreditation that should assure users of an app’s legitimacy.
Here’s the assured list—do not stray beyond it.
Top10VPN conducted its own testing by installing each VPN “onto very basic, entry-level Samsung smartphones that had been stripped of all but the most basic stock apps,” before conducting its tests.
“The results were alarming,” the report warns. “Significant numbers of these VPN apps put our privacy and security at risk due to serious encryption failures and data leaks… While it’s little surprise then that most free VPN providers rely on advertising or monetizing their user data to cover costs and hopefully turn a profit, it’s fundamentally at odds with the whole purpose of a VPN.”
Not a good look for Play Store. Simon Migliano, Head of Research at Top10VPN, told me that “Google does not have a great track record of maintaining a high standard of VPN apps in its Play Store. I first started investigating free Android VPNs in 2018 and if anything, the standard of apps has deteriorated even since then. It’s pretty telling that 93% of free Android VPNs on the Play Store had misleading Data Safety labels when Google could quite easily enforce its own rules and better protect consumers.”
I have approached Google for any comments on the report, which makes bewildering reading given the state of this software masquerading in Play Store’s security aisle. But the detail is less important than the takeaways. Don’t use free VPNs, stick to the accredited list and ideally use a well-known, reputable brand. There are cheaper or even near-free options, but the trade-offs seriously hobble the functionality.
If you don’t want to pay any kind of fee, don’t bother with a VPN.
Unfortunately, it really is that simple.