Top free VPN apps found carrying user privacy bugs and are potential source of malware

• Twenty five percent of apps asked for the permission to track location.
• There were few apps that wanted to use the device’s camera and microphone or send text messages.

A huge number of free VPN Android apps in the Google Play Store are found to be at high risk. In a study involving around 150 of the most popular free VPN Android apps, it has been found that almost over a quarter of the VPN apps leaked Domain Name System (DNS) information and failed to protect users.

These apps have over 260 million combined installations worldwide.

Major flaws

Apart from DNS leakage, the study conducted by Simon Migliano, Metric Labs’ Head of Research at Top10VPN.com, discovered that four VPN apps leaked WebRTC(a real-time communications protocol for browsers) data. Two other apps leaked DNS data, IP addresses and WebRTC data.

“While many of our Risk Index findings are straightforward in what they reveal about a particular app, such as the presence of DNS leaks or network anomalies, the analysis of permissions and risky functions needs to be placed in proper context as it provides us with illuminating insight into the category of free apps as a whole,” said Migliano in the study.

These 150 apps were also scanned on Google’s VirusTotal site and it was discovered that 27 of these apps flagged as a potential source of malware.

Two-third of the apps tested contained user privacy bugs. A vast majority of the apps (nearly 66 percent) asked for intrusive permission from users - categorized as ‘dangerous’ by the official Android developer documentation.

Twenty five percent of apps asked for the permission to track location, while 38 percent requested access to personal information. There were few apps that wanted to use the device’s camera and microphone or send text messages.

The only thing all apps did correctly was to establish encrypted VPN connections. However, network testing revealed that over half of the apps suffered performance issues such as packet loss, low bandwidth and excessive buffering.

High security risk apps

The top ten free VPN apps that were slammed to be at high risk are HotSpotShield Free, SuperVPN, Hi VPN, HotSpotShield Basic, Psiphon Pro, Turbo VPN, VPN Master, Snap VPN, Hola, and Speed VPN. Each of these apps has recorded a download count between 10-50 million.

None of these were flagged for malware, but all of them had at least of the core issues: risky permissions, risky functions and DNS leakage.