Free VPNs leak your data while claiming privacy

Most free Android VPNs track users, request dangerous permissions, and connect to risky servers, privacy comes at a hidden cost.

Free VPN apps are some of the most popular downloads on Android, promising privacy at no cost. But the reality is far from what they advertise. Most users tap “install” without a second thought, unaware that many of these apps collect and share personal data rather than protecting it. Mysterium VPN’s research provides concrete evidence of the risks hidden inside free VPNs, revealing how they operate behind the scenes and why “free” often comes with a high price for your privacy.

The research focused on 18 of the most popular free Android VPN apps from the Google Play Store. Each app was analyzed using MobSF, an open-source mobile security framework. This static analysis examined four main areas: the permissions requested by the app, any embedded third-party trackers, hardcoded network endpoints, and developer or third-party email addresses within the code. While static analysis cannot reveal real-time activity, the presence of these elements alone shows what the app is capable of and the potential dangers to users.

A major finding is the sheer number of embedded trackers. Trackers are pieces of software that collect data on user behavior, often for advertising or analytics. Out of the 18 apps tested, 17 contained at least one tracker, and the average app included nearly five. Some apps contained more than a dozen trackers, including platforms from the U.S., China, and Russia. Google’s advertising and analytics tools, like AdMob and Firebase Analytics, were present in nearly every app, and Facebook integration appeared in several, enabling cross-platform tracking. Apps such as Turbo VPN and VPN Proxy Master included Chinese platforms like Umeng and Mobvista, as well as Russian trackers like Yandex Ad. This means users attempting to avoid tracking are often exposed to extensive monitoring by multiple third-party companies.

Permissions requested by these apps revealed another layer of concern. A legitimate VPN needs only a few permissions: network access, the ability to create a VPN tunnel, and the ability to run in the foreground. Yet many apps requested far more, often with no relationship to VPN functionality. FreeVPN, for instance, requested 21 permissions, 12 of which are considered “dangerous” under Android rules. These included camera, microphone, contacts, call logs, precise location, and device storage access. Essentially, the app could record audio or video, read your call history, track your movements, and access your photos and files. This permission set resembles spyware more than a privacy tool. Other apps like VPN Proxy Master, VPN 360, and Secure VPN also requested a high number of dangerous permissions, some including the ability to modify system settings or display overlays, techniques that could enable clickjacking or other malicious behavior.

Network connections were another significant concern. Many apps connected to a large number of hardcoded domains, sometimes over 100 for a single app, far more than necessary for a VPN. Some of these domains were located in countries with strict state surveillance or subject to U.S. OFAC sanctions, such as China and Russia.

“Beyond trackers and permissions, perhaps the most alarming finding is the number of free VPN apps that contain hardcoded connections to servers in countries subject to OFAC sanctions or with documented state surveillance programs.” reads the report published by MysteriumVpn. “Routing VPN traffic through these jurisdictions exposes users to risks that no tracker policy or permission review can address.”

Using servers in these jurisdictions exposes users to additional risks, as local laws may require companies to log user traffic or provide access to government agencies. For example, Turbo VPN connects to Chinese servers on Alibaba’s network and includes multiple Chinese trackers. VPN Proxy Master communicates with both Chinese and Russian infrastructure while also embedding trackers from these countries. VPN 360 connected to 105 unique domains, combining multiple trackers with potentially risky server locations.

Other alarming behaviors include apps using plaintext HTTP connections instead of encrypted HTTPS, exposing data in transit. Some apps also included embedded emails, which could indicate a lack of professionalism or potential avenues for phishing and other attacks.

The research identifies the apps with the most concerning risk profiles. FreeVPN stands out for its extreme permissions, despite having no trackers. VPN Proxy Master combines high permissions, numerous trackers, and connections to risky infrastructure, making it the most comprehensive data collector. Turbo VPN is the “tracker king,” embedding platforms from three national advertising ecosystems. VPN 360 has the largest network footprint, with over 100 hardcoded domains. Secure VPN combines dangerous permissions with extensive tracking, including Facebook’s full suite.

The takeaway for users is clear: most free VPN apps are not primarily privacy tools. They are advertising and data collection platforms disguised as security apps. To protect yourself, review requested permissions carefully, audit apps for trackers using tools like Exodus Privacy, and be skeptical of free apps. Open-source and independently audited VPNs are safer, as are decentralized VPN networks, which reduce the risk of a single entity collecting or monetizing your data. Until app stores enforce privacy standards, users bear the responsibility of verifying the safety of any VPN they install.

In short, “free” often comes at a steep cost. Instead of privacy, many free VPNs deliver extensive surveillance, heavy tracking, and connections to potentially dangerous jurisdictions. Investing in a reputable, secure VPN is worth the cost for the protection and peace of mind it provides. Your digital privacy is valuable, and safeguarding it requires informed choices rather than relying on a zero-cost lure.

“The central finding of this research is straightforward: the overwhelming majority of popular free VPN apps on Android are not primarily privacy tools. They are data collection and advertising platforms that provide VPN functionality as a lure.” concludes the report. “The business model is clear, and the mechanisms for executing it are built into the app before a user ever opens it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VPNs)