Millions of Android Users at Risk as Study Reveals Serious Flaws in Free VPN Apps

Published
Written by:
Rachita Jain
Rachita Jain
VPN Staff Editor
Key Takeaways
  • Free Android VPN apps study: Researchers found security, privacy, and encryption flaws across 281 apps with over 2.4 billion installs.
  • Critical vulnerabilities: Five apps enabled tunnel hijacking, while dozens leaked DNS, browsing traffic, or transmitted unencrypted data.
  • Tracking and weak security: Over 80% contacted trackers, and most OpenVPN configurations lacked recommended security best practices.

A large-scale academic study has identified widespread security and privacy shortcomings in some of the most popular free Android VPN applications available on the Google Play Store, finding that many fail to protect user traffic as advertised.

Researchers examined 281 free Android VPN apps using a newly developed automated testing framework called MVPNalyzer, discovering issues ranging from DNS leaks and unencrypted data transmissions to weak VPN configurations and extensive tracking activity. According to the study, apps affected by at least one identified issue have collectively been installed more than 2.4 billion times.

The findings were presented at the Network and Distributed System Security (NDSS) Symposium 2026 by researchers from the University of Michigan, University of New Mexico, and Indian Institute of Technology (IIT) Delhi.

Researchers Develop MVPNalyzer to Audit Android VPN Apps

The researchers created MVPNalyzer as an automated framework for systematically evaluating Android VPN applications. Described in the paper as the first platform specifically designed for repeated, large-scale audits of mobile VPN apps, it serves as the Android counterpart to the team's earlier VPNalyzer framework for desktop VPN software.

MVPNalyzer framework architecture used to analyze Android VPN applications
Researchers used MVPNalyzer to systematically test Android VPN apps for security and privacy issues.

Using the framework, the team analyzed network behavior, encryption practices, VPN configurations, and communications with third-party services across hundreds of free VPN applications listed on Google Play.

The study focuses on whether VPN apps fulfill their primary purpose of protecting internet traffic, noting that users effectively shift their trust from internet service providers to VPN providers when using these services.

Five VPN Apps Were Vulnerable to Tunnel Hijacking

Among the most serious findings, researchers identified five VPN apps that downloaded their VPN configuration files without encryption.

These configuration files specify which VPN server an application connects to. Because they were transmitted in plaintext, an attacker sharing the same network, such as on public Wi-Fi, could intercept and modify the file before it reached the device. By replacing the original configuration, an attacker could redirect users to a VPN server under their own control while the application continued to display a normal "connected" status.

The researchers successfully demonstrated the attack in a controlled environment.

All five providers were notified before publication. Two acknowledged the issue and stated they would transition configuration downloads to HTTPS with proper certificate validation, while the remaining three had not responded when the research paper was published.

Dozens of Apps Exposed User Traffic Outside VPN Tunnels

The study also found multiple instances where VPN applications failed to route traffic through encrypted tunnels.

Researchers identified 29 apps that leaked user traffic outside the VPN connection. Among them, 24 apps exposed DNS requests, allowing network operators to see which websites users were attempting to visit. Those applications account for approximately 360 million installs.

Additionally, six apps leaked broader internet traffic beyond DNS requests, while four apps operated VPN tunnels without encryption entirely. Some applications exhibited more than one of these issues simultaneously.

Many VPN Apps Failed to Hide VPN Usage

Beyond encrypting traffic, some VPN services advertise the ability to bypass censorship or network restrictions by disguising VPN traffic.

However, the researchers found that 169 applications made no attempt to obfuscate their VPN traffic, making it easily identifiable by internet providers, network administrators, or government censorship systems using standard detection techniques.

The paper notes that nearly two-thirds of these apps advertise features such as bypassing restrictions or unlocking blocked content despite lacking traffic obfuscation capabilities.

More Than 80% of Tested Apps Contacted Advertising and Tracking Services

The study also examined how VPN applications handled user privacy.

Researchers found that 76 apps transmitted Android Advertising IDs, which advertisers use to recognize devices across different applications.

Overall, 246 of the 281 analyzed apps communicated with known advertising or tracking domains. Many also collected device characteristics, including phone model, Android version, and screen size, that can contribute to device fingerprinting when combined.

In one instance, the researchers observed an application transmitting the device's precise GPS coordinates.

TechNadu Analysis Highlights Transparency Concerns Around Popular VPN Apps

The findings of the NDSS study align with TechNadu's recent analysis of VPN Super Unlimited Proxy, one of the most downloaded free VPN apps on Android and iOS. In that review, TechNadu examined the provider's privacy policy, public disclosures, and available evidence supporting its no-logs claims.

The analysis found that while VPN Super states it does not log browsing activity or VPN traffic, there are no publicly available independent no-logs audits, transparency reports, warrant canaries, or legal disclosures verifying those claims. It also notes that the provider discloses collecting certain operational information, including IP addresses during connections, approximate location derived from IP addresses, device information, usage analytics, crash logs, account details, and advertising identifiers for free users.

Although the NDSS researchers did not single out VPN Super Unlimited Proxy among the five applications affected by the tunnel hijacking vulnerability, their broader findings reinforce the importance of independently validating VPN providers' privacy and security claims. Both the academic study and TechNadu's analysis emphasize that marketing claims such as "no logs" should not be considered verified without supporting technical audits or public evidence.

Security Configurations Frequently Relied on Weak Encryption

As part of a separate analysis, the researchers examined 108 bundled OpenVPN configuration files distributed with the tested applications.

Only one configuration satisfied every security best practice evaluated in the study.

Approximately 89% relied on a single authentication mechanism instead of combining certificates with passwords or other methods. Nearly one in five configurations used outdated encryption algorithms such as Blowfish or Triple DES, while several disabled encryption for VPN data traffic altogether.

The paper notes that both Blowfish and Triple DES remain associated with known cryptographic weaknesses, including CVE-2016-6329, which may enable attackers to recover data from long-running encrypted sessions under specific conditions.

Researchers Question Play Store Trust Indicators

According to the researchers, many of the observed security issues appear to result from poor application maintenance rather than sophisticated attacks.

The paper also argues that Google Play's security indicators, including the "Verified" VPN badge, should not be interpreted as evidence that an application has undergone comprehensive security validation. Instead, the researchers suggest these labels function primarily as indicators of publisher trust rather than guarantees of secure implementation.

At the time of publication, Google had not publicly responded to questions regarding whether the affected applications would be reviewed or removed from Google Play.

Findings Reflect a Broader Pattern in Free VPN Security

The researchers also referenced previous studies highlighting similar concerns within the free VPN ecosystem.

They cite research published in 2025 that linked several widely downloaded Android VPN applications through shared infrastructure and location data collection, as well as separate findings identifying outdated OpenSSL versions and excessive permission requests in free VPN apps.

The NDSS paper independently documents the latest findings, making the reported issues part of a verified academic study. The researchers also announced plans to publicly release MVPNalyzer, allowing app stores, regulators, and security researchers to conduct automated assessments of Android VPN applications. The findings underscore the ongoing security and privacy risks associated with poorly maintained free VPN services and suggest that app store availability or verification badges alone should not be treated as assurances of strong security protections.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: