Close Menu
    What's Hot

    Meta removes controversial AI feature on Instagram after backlash

    Jersey Mike’s IPO tries to sprinkle SpaceX magic on a sandwich

    HP Stock Is A High Yielding Undervalued Tech Stock (Technical Analysis) (NYSE:HPQ)

    Facebook X (Twitter) Instagram
    Trending
    • Meta removes controversial AI feature on Instagram after backlash
    • Jersey Mike’s IPO tries to sprinkle SpaceX magic on a sandwich
    • HP Stock Is A High Yielding Undervalued Tech Stock (Technical Analysis) (NYSE:HPQ)
    • Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking
    • Stop hiring for the résumé. Start hiring for obsession
    • E.P.A. Moves to Loosen Limits on Pollution From Trucks
    • Scaloni not surprised by Messi’s World Cup form at 39 – ‘He’s a machine’ | World Cup 2026 News
    • U.S. Citizen Tests Positive for Ebola in Democratic Republic of Congo
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking

    adminBy adminJuly 11, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking

    Researchers ran 281 of the most popular free VPN apps on the Google Play Store through a new testing system and found that many fail at the basics people install a VPN for, i.e., keeping their traffic private and secure.

    The apps flagged with at least one problem have been installed more than 2.4 billion times.

    The problems are basic, not sophisticated. 29 apps let user traffic leak outside the encrypted tunnel, including the DNS lookups that reveal which websites you visit. 61 apps send some data in plain text that anyone watching the traffic on that network can read.

    Five of those send the app’s configuration file in the clear, which lets an attacker on the network redirect the connection to a server they control.

    The system, called MVPNalyzer, was presented at the NDSS security conference in February 2026 by researchers at the University of Michigan, the University of New Mexico, and IIT Delhi.

    It is a mobile counterpart to the same lab’s earlier VPNalyzer study of desktop VPN software, and the researchers describe it as the first framework built to systematically and repeatedly audit Android VPN apps.

    A VPN wraps your traffic in an encrypted tunnel so your internet provider, or an eavesdropper on the network, cannot see what you are doing. The trade-off is that the VPN app now sees all of it. You are not removing the need to trust someone. You are moving that trust from your internet provider to whoever built the app.

    Cybersecurity

    The study asks whether these apps earn it. For many, they do not.

    The most serious flaw: tunnel hijacking

    The worst finding involves those five apps that download their configuration file without encryption. That file tells the app which server to connect to. If it travels in plain text, an attacker on the same network, say a public Wi-Fi operator, can rewrite it in transit and point the app at a server they control.

    Architecture of the MVPNalyzer framework

    The user connects, sees the usual “connected” screen, and routes everything through the attacker. The researchers built this attack and confirmed it worked on phones under their control.

    They flagged the issue for all five providers as a priority. Two responded, both promising to move the file to HTTPS. One said it would send the configuration files “securely using HTTPS with proper certificate validation.” The other three had not acknowledged it.

    Leaks, and apps that hide nothing

    Of the 29, 24 leaked DNS traffic, exposing the sites users visited to the local network; those apps alone account for about 360 million installs. Six leaked full browsing traffic outside the tunnel, and four ran “tunnels” with no encryption at all, with some apps failing in more than one way.

    Separately, 169 apps made no attempt to disguise their traffic as anything other than a VPN, so a network operator or government censor can spot and block them with basic tools. Nearly two-thirds of those apps advertise that they beat blocking or unlock restricted content. They make the promise and do nothing to keep it.

    For someone in a country where using a VPN is itself risky, being easy to identify as a VPN user is the opposite of what they signed up for.

    Tracking, from the apps built to stop it

    People often install VPNs to avoid being tracked. Many of these apps track anyway. 76 sent the device’s Advertising ID, a unique code advertisers use to follow a person from one app to the next.

    The study found that more than 80% of the apps, 246 of them, contacted known advertising and tracking servers. Many also sent details like the phone model, operating system version, and screen size.

    On their own, those look harmless, but combined, they form a “fingerprint” that can single out one device. One app even sent the phone’s exact GPS coordinates.

    Weak setups under the hood

    The researchers also pulled apart the OpenVPN configuration files bundled with 108 of the apps, a separate check from the live-traffic tests above. Only one followed every security best practice the study measured.

    About 89% relied on a single authentication method, either a password or a certificate, rather than combining the two. Nearly one in five used weak or outdated encryption, including the aging Blowfish cipher and triple DES. A few set the tunnel’s data cipher to none, which switches off encryption entirely. Both of those old ciphers carry long-known weaknesses (CVE-2016-6329 and CVE-2016-2183) that let an attacker recover data from long-running connections.

    Cybersecurity

    Most of these problems trace back to the same root: the apps are barely maintained, and the Play Store’s automated checks let them through. Many rank among its top search results, where Google’s safety labels and its “Verified” badge for VPN apps are meant to signal trust. The study says those labels work more like marketing signals than a real security guarantee.

    This is not a one-off

    Other recent research points in the same way. In August 2025, researchers at the University of Toronto’s Citizen Lab and Arizona State University found that several popular Android VPN apps, with more than 700 million combined downloads, were secretly linked, shared hard-coded passwords, and quietly collected location data.

    In October 2025, mobile security firm Zimperium reported that three of the roughly 800 free VPN apps it tested still bundled a version of the OpenSSL library vulnerable to Heartbleed, a well-known bug patched back in 2014. Many also asked for phone permissions far beyond what a VPN needs.

    The three studies tell one story: free VPN apps keep pairing a strong privacy pitch with weak engineering, and they keep reaching millions of installs before anyone catches it.

    What users can do

    The most serious flaws here, the cleartext config fetch and the weak tunnel settings, are invisible from the user’s side. You cannot spot them by looking at the app, which is the whole problem. So the real defense is not which protocol the app advertises. It is who is behind it.

    Favor providers that publish a recent independent security audit. Be wary of free apps that bury you in ads. And treat “verified” or “no-logs” claims as a starting point, not proof.

    The researchers list every flagged app in the paper’s appendix, so you can check whether the one on your phone is among them.

    The team plans to release MVPNalyzer publicly so app stores and regulators can run these checks themselves. On this evidence, they will have to.

    The Hacker News has asked Google whether it is reviewing or removing the flagged apps, and for its response to the study’s finding that Play Store safety labels and the “Verified” badge function more as marketing than security guarantees. We have also asked the MVPNalyzer research team to identify the five apps vulnerable to tunnel hijacking and to confirm whether the notified providers have since deployed fixes. This story will be updated with any response.

    Android apps data finds free leaks Study tracking Traffic Unencrypted VPN
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleStop hiring for the résumé. Start hiring for obsession
    Next Article HP Stock Is A High Yielding Undervalued Tech Stock (Technical Analysis) (NYSE:HPQ)
    admin
    • Website

    Related Posts

    Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

    July 11, 2026

    How Lumen Technologies Rebuilt Exposure Management at Scale

    July 11, 2026

    New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

    July 11, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Meta removes controversial AI feature on Instagram after backlash

    Jersey Mike’s IPO tries to sprinkle SpaceX magic on a sandwich

    HP Stock Is A High Yielding Undervalued Tech Stock (Technical Analysis) (NYSE:HPQ)

    Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by