One in five apps from the top 150 free VPN Android apps in Google's Play Store was flagged as a potential source of malware, while a quarter of them come with user privacy breaking bugs such as DNS leaks which expose user DNS queries to their ISPs.

As found by Simon Migliano, Metric Labs' Head of Research, the company behind the Top10VPN service, these VPN Android applications have already been installed approximately 260 million times according to the numbers reported by Google's official store.

Top10VPN's extensive research has been organized and published in the form of a risk index designed to help Android users understand the exact privacy risks they are exposing themselves when installing a free VPN on their smartphone or tablet.

According to Migliano's analysis and as previously stated, one in five free VPN apps tested (27 applications in total) was flagged as a potential source of malware when tested using VirusTotal, greatly increasing the severity of the risks their users are exposed too.

To make matters even worse, 25% of the apps that were affected by a DNS leak security issue. Moreover:

This security flaw occurs when a VPN fails to force DNS requests through its encrypted tunnel to its own DNS servers and instead permits the requests to be made directly to the default ISP DNS servers. Even though the rest of their traffic may be concealed, the leak exposes a user’s browsing history to their ISP and any third-party DNS server operator that it may use.

The issues found in the top ten free VPN apps (most installs) on the Google Play store:

App
(Installs)
Risky Permissions DNS Leaks Risky Functions Virus / Malware
Hotspot Shield Free
(50M)
Detected No leaks Detected No
SuperVPN
(50M)
Detected Leaks Detected No
Hi VPN
(10M)
Detected Leaks Detected No
Hotspot Shield Basic
(10M)
Detected No leaks Not detected No
Psiphon Pro
(10M)
Detected No leaks Detected No
Turbo VPN
(10M)
Not detected Leaks Not detected No
VPN Master
(10M)
Not detected Leaks Detected No
Snap VPN
(10M)
Detected Leaks Detected No
Hola
(10M)
Detected Leaks Detected No
SpeedVPN
(10M)
Detected No leaks Detected No

 

Top10VPN 's research also states that it found highly intrusive permissions as well as code functions that expose the app's users to privacy risks in about 85% of all tested free VPN apps.

The research team found the following intrusive permissions and user privacy-breaking code:

location tracking ( 25% of apps);

access to device status information ( 38% );

in smaller numbers: use of camera and microphone and the ability to secretly send SMS.

over half ( 57% ) featured code to get a user’s last known location.

As detailed in the report's methodology section, Migliano's team installed each of the 150 apps on an Android smartphone and tested its VPN connection using ICSI's Netalyzr Internet connection analysis utility.

Using the same VPN connection, the researchers ran various IP tests using the online browserleaks.com platform which were compared against control tests performed on the same device without using any VPN connections (full network test results for all apps available here as a PDF.)

When asked if the user privacy breaking issues would still be present in the paid versions of these free VPN apps, Migliano told BleepingComputer that:

While we didn't upgrade any apps that offered premium versions and do additional testing, I am confident that the main privacy issues would persist: ie leaks, intrusive permissions and risky code functions. It’s still the same app when you upgrade after all. It's possible that network performance may be better in some instances as paid subscribers gain access to the full range of servers.

Migliano is also behind a previous analysis of the top 20 free VPN Android and iOS apps which led to the conclusion that the vast majority of them have virtually inexistent privacy protection, as well as almost no user support.

This new analysis comes as an addendum designed to pinpoint the user privacy flaws existent in free VPN Android apps and Migliano's findings are not encouraging for Android users who choose not to pay to protect their privacy.

Related Articles:

Android bug leaks DNS queries even when VPN kill switch is enabled

Chrome for Android tests feature that securely verifies your ID with sites

Rafel RAT targets outdated Android phones in ransomware attacks

Snowblind malware abuses Android security feature to bypass security

New Medusa malware variants target Android users in seven countries