The free VPN app you downloaded for your Android phone might be doing more harm than good. A recent large-scale audit of free Android VPN apps has shared some worrisome findings that justify some healthy suspicion. Researchers found these apps leaking traffic, sending identifying information to third parties, and basically the opposite of what a VPN is supposed to do.
The study comes from researchers at the University of Michigan, the University of New Mexico and IIT Delhi. Their findings were presented at the Network and Distributed System Security Symposium 2026 alongside MVPNalyzer, a framework designed to audit mobile VPN apps automatically and at scale.
Some VPNs could barely manage the V

The researchers tested 281 operational, general-purpose VPN apps that could be downloaded and used for free from the Google Play Store. The sample was assembled from VPN-related searches across supported countries before the apps were tested on Android 14 devices. Services that required an account or payment were excluded from the study.
Among those apps, 61 transmitted some data without encryption. Five sent sensitive VPN configuration files in cleartext, potentially allowing an attacker on the network to redirect a user toward a server they controlled. Another 29 leaked browser or DNS traffic outside the encrypted tunnel, directly undermining one of a VPN’s main selling points.
Privacy was an entirely different can of worms. Seventy-six apps sent device identifiers such as Android’s Advertising ID to third parties, opening the door to continued tracking and fingerprinting. Researchers could extract and examine VPN configuration files from 108 apps, and 107 of them misused or ignored recommended encryption and security practices.

Free is doing a lot of work here
The study does not prove that every mobile VPN is insecure. Its testing focused on free Android apps that worked without accounts or in-app payments, so the results should not be automatically extended to iPhones or established subscription services excluded by that methodology.
It does show how little protection a Play Store listing and a reassuring shield icon can guarantee. The researchers also warned that app-store disclosures, including developer-submitted Data Safety information and Google’s VPN verification badge, may operate more like marketing signals than comprehensive security guarantees. So it’s best advised to avoid downloading the first free VPNs that appear in your app store searches.