Researchers ran 281 of the most popular free VPN apps on the Google Play Store through a new testing system and found that many fail at the basics people install a VPN for, i.e., keeping their traffic private and secure.

The apps flagged with at least one problem have been installed more than 2.4 billion times.

The problems are basic, not sophisticated. 29 apps let user traffic leak outside the encrypted tunnel, including the DNS lookups that reveal which websites you visit. 61 apps send some data in plain text that anyone watching the traffic on that network can read.

Five of those send the app's configuration file in the clear, which lets an attacker on the network redirect the connection to a server they control.

The system, called MVPNalyzer, was presented at the NDSS security conference in February 2026 by researchers at the University of Michigan, the University of New Mexico, and IIT Delhi.

It is a mobile counterpart to the same lab's earlier VPNalyzer study of desktop VPN software, and the researchers describe it as the first framework built to systematically and repeatedly audit Android VPN apps.

A VPN wraps your traffic in an encrypted tunnel so your internet provider, or an eavesdropper on the network, cannot see what you are doing. The trade-off is that the VPN app now sees all of it. You are not removing the need to trust someone. You are moving that trust from your internet provider to whoever built the app.

The study asks whether these apps earn it. For many, they do not.

The most serious flaw: tunnel hijacking

The worst finding involves those five apps that download their configuration file without encryption. That file tells the app which server to connect to. If it travels in plain text, an attacker on the same network, say a public Wi-Fi operator, can rewrite it in transit and point the app at a server they control.

Architecture of the MVPNalyzer framework

The user connects, sees the usual "connected" screen, and routes everything through the attacker. The researchers built this attack and confirmed it worked on phones under their control.

They flagged the issue for all five providers as a priority. Two responded, both promising to move the file to HTTPS. One said it would send the configuration files "securely using HTTPS with proper certificate validation." The other three had not acknowledged it.

Leaks, and apps that hide nothing

Of the 29, 24 leaked DNS traffic, exposing the sites users visited to the local network; those apps alone account for about 360 million installs. Six leaked full browsing traffic outside the tunnel, and four ran "tunnels" with no encryption at all, with some apps failing in more than one way.

Separately, 169 apps made no attempt to disguise their traffic as anything other than a VPN, so a network operator or government censor can spot and block them with basic tools. Nearly two-thirds of those apps advertise that they beat blocking or unlock restricted content. They make the promise and do nothing to keep it.

For someone in a country where using a VPN is itself risky, being easy to identify as a VPN user is the opposite of what they signed up for.

Tracking, from the apps built to stop it

People often install VPNs to avoid being tracked. Many of these apps track anyway. 76 sent the device's Advertising ID, a unique code advertisers use to follow a person from one app to the next.

The study found that more than 80% of the apps, 246 of them, contacted known advertising and tracking servers. Many also sent details like the phone model, operating system version, and screen size.

On their own, those look harmless, but combined, they form a "fingerprint" that can single out one device. One app even sent the phone's exact GPS coordinates.

Weak setups under the hood

The researchers also pulled apart the OpenVPN configuration files bundled with 108 of the apps, a separate check from the live-traffic tests above. Only one followed every security best practice the study measured.

About 89% relied on a single authentication method, either a password or a certificate, rather than combining the two. Nearly one in five used weak or outdated encryption, including the aging Blowfish cipher and triple DES. A few set the tunnel's data cipher to none, which switches off encryption entirely. Both of those old ciphers carry long-known weaknesses (CVE-2016-6329 and CVE-2016-2183) that let an attacker recover data from long-running connections.

Most of these problems trace back to the same root: the apps are barely maintained, and the Play Store's automated checks let them through. Many rank among its top search results, where Google's safety labels and its "Verified" badge for VPN apps are meant to signal trust. The study says those labels work more like marketing signals than a real security guarantee.

This is not a one-off

Other recent research points in the same way. In August 2025, researchers at the University of Toronto's Citizen Lab and Arizona State University found that several popular Android VPN apps, with more than 700 million combined downloads, were secretly linked, shared hard-coded passwords, and quietly collected location data.

In October 2025, mobile security firm Zimperium reported that three of the roughly 800 free VPN apps it tested still bundled a version of the OpenSSL library vulnerable to Heartbleed, a well-known bug patched back in 2014. Many also asked for phone permissions far beyond what a VPN needs.

The three studies tell one story: free VPN apps keep pairing a strong privacy pitch with weak engineering, and they keep reaching millions of installs before anyone catches it.

What users can do

The most serious flaws here, the cleartext config fetch and the weak tunnel settings, are invisible from the user's side. You cannot spot them by looking at the app, which is the whole problem. So the real defense is not which protocol the app advertises. It is who is behind it.

Favor providers that publish a recent independent security audit. Be wary of free apps that bury you in ads. And treat "verified" or "no-logs" claims as a starting point, not proof.

The researchers list every flagged app in the paper's appendix, so you can check whether the one on your phone is among them.

The team plans to release MVPNalyzer publicly so app stores and regulators can run these checks themselves. On this evidence, they will have to.

The Hacker News has asked Google whether it is reviewing or removing the flagged apps, and for its response to the study's finding that Play Store safety labels and the "Verified" badge function more as marketing than security guarantees. We have also asked the MVPNalyzer research team to identify the five apps vulnerable to tunnel hijacking and to confirm whether the notified providers have since deployed fixes. This story will be updated with any response.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.