A study by researchers from Data61/CSIRO, UC Berkeley, UNSW Sydney, and UCSI finds that several popular VPN services on Android open up a variety of security holes, including injecting JavaScript for ads and tracking services, traffic redirection to commerce sites, and more.
VPNs are useful for encrypting your web traffic or getting around regional restrictions. Most of these VPN services require a subscription, but many also offer free options. Researchers tested 283 different apps and found that many of those apps inject adware, trojans, malvertising, or spyware. What they found was not great:
18% do not encrypt traffic
84% leak user data
38% reveal malware or malvertising
80% request access to sensitive data like user accounts or text messages
Unfortunately, the paper doesn’t go through a full ranking of all 283 apps it tested, nor does it rank the best or most secure services. It does at least go through the worst, which are shown in the table above, using a VirusTotal ranking system. This includes one we’ve mentioned before, Betternet.
The biggest problem here is that in most cases, the researchers found that other than Hola, the VPN providers did not usually admit to the practice of injecting its own ads or forwarding traffic. When researchers reached out to the developers, many didn’t respond, while others simply confirmed that their free version injected code to show their own ads. Thankfully, some of the worst offenders, including the top three, have all been removed from Google Play.
It’s no secret that VPNs are shady and finding a good one requires actual effort, but this is a nice reminder that you should always do some research before using any type of security software. For what it’s worth, we’ve found Private Internet Access, SlickVPN, NordVPN, Hideman, and Tunnelbear have all been reliable and transparent over the years. There’s also no reason to assume this is restricted to Android. iOS and desktop VPN apps likely have similar problems.
An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps (PDF) | via TorrentFreak