281 Google Play VPN Apps Found Leaking Data and Transmitting Unencrypted
A study revealed that 281 popular Android VPN apps on the Google Play Store suffer from critical security flaws, including unencrypted data transfer and traffic leaks.

A recent security study has uncovered significant privacy and security vulnerabilities affecting 281 popular Android VPN applications available on the Google Play Store. Researchers found that dozens of these apps are transmitting sensitive user data without encryption, leaking traffic outside of their secure tunnels, and sending device identifiers to third-party tracking and advertising services. These findings are particularly concerning given that VPNs are often installed precisely to enhance user privacy and security.
The research team, comprising experts from multiple universities, developed a specialized framework named MVPNalyzer to rigorously test how these Android VPN applications handle network traffic, configuration files, and user data. VPN applications occupy a privileged position on mobile devices, granting them the ability to intercept and route traffic from all other applications. This capability makes them a critical tool for users seeking to avoid surveillance, bypass censorship, or secure their connections on untrusted networks.
In their analysis, researchers examined 281 operational free VPN apps sourced directly from Google Play searches and the VPN Proxy & Tools category. The collective install base of these affected applications numbers in the billions, indicating that the widespread insecure practices could impact a vast number of users globally. The study highlighted several critical failure points, with unencrypted communications being a primary concern.
The study identified 61 VPN apps that were observed transmitting cleartext data across 10,552 distinct data flows. This unencrypted data included sensitive information such as web content, JavaScript code, JSON files, and VPN-specific resources. The implications are severe: a network attacker positioned between the user and the internet could potentially intercept, read, or even modify this traffic, completely defeating the purpose of using a VPN.
Further compounding the issue, five of the analyzed apps were found to transfer VPN configuration files over unencrypted connections. These configuration files are essential for establishing a secure VPN connection. If intercepted and modified in transit, an attacker could redirect the user to a malicious VPN server, enabling them to monitor all subsequent internet activity.
The research also revealed significant traffic leakage issues in 29 VPN apps. Twenty-four applications were found to leak DNS requests outside the encrypted tunnel, exposing the websites users were attempting to visit. Additionally, six apps leaked browser traffic, and four utilized unencrypted tunnels that exposed visited domains directly in network packets. These leaks directly undermine the core promise of VPNs to shield user activity from local network observers and internet service providers.
Privacy concerns were also rampant, with 246 apps identified as contacting advertising or tracking URLs. A staggering 76 apps transmitted unique Android Advertising IDs, which can be used for persistent cross-app tracking and user profiling. Many applications also exposed detailed device information, including model, OS version, API level, language, screen details, country, and IP address, which could be aggregated to create a unique device fingerprint for advertisers.
The study also pointed to weak VPN configuration practices, noting that only one out of 108 apps containing OpenVPN configuration files met all evaluated security best practices. The remaining apps exhibited issues ranging from weak cryptography and authentication to outdated directives and missing hardening settings, leaving them vulnerable to various attacks. The findings underscore the need for greater scrutiny of free VPN services and stronger enforcement by app stores.