Skip to main content
  1. Home
  2. Phones
  3. Android
  4. Apple
  5. Mobile
  6. News

Security researchers warn against using shady VPN Android apps

Add as a preferred source on Google

If you’ve ever needed to conduct business over the internet somewhat privately on your phone, a virtual private network — or VPN, for short — is an excellent way to go about it. It’s basically an encrypted third-party middleman that sits between you and the wider internet, protecting your data from prying eyes.

And its practically foolproof — even if a hacker were to penetrate the “tunnel,” so to speak, they would struggle to read the data within. But to use a virtual private network, you need an app, and not all apps are as secure as the virtual private network itself.

Recommended Videos

Security researchers at CSIRO’s Data 61, the University of New South Wales, and UC Berkeley studied 283 VPN apps for Android available from the Google Play Store. A whopping 38 percent of the apps on the Google Play Store that were tested contained some form of malware, adware, trojan, or spyware, while 67 percent featured at least one third-party tracking library. As many as 82 percent requested permissions to access sensitive user data, including text messages and call logs.

The researchers categorized the “worst offenders” — apps with an excessive amount of malware — in a top-ten chart.

And to make matters worse, many fell short of delivering the anonymity they promised. Around 18 percent of the VPN apps didn’t encrypt traffic, and 16 percent routed traffic through other users of the same app rather than a dedicated server. And as many as 66 percent leaked traffic, which the researchers noted could “ease online tracking activities” performed by unscrupulous Wi-Fi hot spot administrators and “surveillance agencies.”

Worryingly, more than 25 percent of the apps received at least a 4-star rating. “According to the number of installs of these apps, millions of users appear to trust VPN apps despite their potential maliciousness. In fact, the high presence of malware activity in VPN apps that our analysis has revealed is worrisome given the ability that these apps already have to inspect and analyze all user’s traffic with the VPN permission,” the researchers wrote.

Ultimately, the survey’s authors recommend “looking before you leap,” in a sense — in other words, researching the VPN apps you’re considering and ensuring they act and behave as advertised. Be especially wary of free apps, they say. Stick to well-known companies that are transparent about their practices. And if an app requests access to sensitive information during the installation process for no good reason, it’s probably best to get rid of it.

Kyle Wiggers
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
How to install iOS 27 public beta on your iPhone?
iOS 27’s public beta is here, and its loaded with new features and experiences you might want to try.
iOS 27 beta update open on iPhone

After iOS 27’s third developer beta shipped on July 6, Apple released the first public betas for iOS 27 on July 13, 2026. While the main additions remain the same across the builds, the latter is the more refined and polished version, free of rudimentary bugs and glitches.

If you have a compatible iPhone, you can install the first public beta of iOS 27 today and experience the new Siri AI and other features yourself, provided that you know exactly what to do.

Read more
This Android malware can spy on your screen, read your texts, and control your phone remotely
Upgraded RedHook Android malware now abuses Android's built-in Wireless ADB to hijack your phone without root access.
android-redhook-malware

A nastier version of the RedHook Android malware is making the rounds, and it does not need a USB cable or a rooted phone to take over your device. Researchers at Group-IB discovered the upgraded variant, which is a significant step up from the version spotted in 2025. The scariest part? It uses one of Android's own built-in tools to do it.

How RedHook malware tricks your Android phone into handing over control

Read more
iOS 27’s public beta is finally here, and you don’t need a developer account to get in
Siri's biggest comeback is finally leaving the lab.
iOS 27 new star rating feature in Photos

Greg Joswiak just made it official. A few minutes ago, Apple's marketing chief confirmed the availability of public betas for iOS 27, macOS 27, iPadOS 27, and other Apple devices.

If you've spent the last month watching developers gush over Siri AI, patiently waiting for the public beta, that wait is over.

Read more