New warning as more than 2 billion app installations are classified as high risk
Despite Google’s best efforts, including apparently groundbreaking plans for Android 15, it seems like the warnings just won’t go away. Less than a fortnight after an alarming report on the state of Play Store malware made headlines, here we are again. It’s not just malware this time, it’s broader. And with over 2 billion installs across 100 popular apps, users should start checking and uninstalling.
Let’s keep this stupidly simple. Don’t use a free VPN, not now, not ever. For the few people new to virtual private networks whose popularity continues to rise, these apps protect your IP address and browsing activity from your network, ISP, or anyone else who might be listening. The apps tunnel securely from your device to a third-party server and from there to the open Internet.
In a world of protests and threats against dissidents, lawyers, campaigners and journalists, not to mention areas that have restricted certain apps and platforms, VPNs are a lifeline. While places like China and Iran block apps at will, VPNs are the reason users in those countries can still get through.
For a VPN to function effectively, it requires a network of servers around the world, allowing users to connect to a local network or a network that can present a location mask, trading a real IP address for a VPN in another country. For example, if you live in Great Britain and connect to a US server, it may appear to the open Internet as if you are 3,000 miles from home. It doesn’t always work when you use apps on your phone, as anyone trying to undermine geographic broadcast restrictions can discover. There are other ways an app on a device can check your location. There are ways to bypass such blocks, but not to share.
Legitimate VPNs charge fees or are bundled with other paid security products. And yet most VPNs remain free. And this is one of the great app ironies. The economic business model for a free app is to collect your location, device and other data or serve ads. If you are lucky. If you’re unlucky, the business model is to infect your phone with malware and steal login credentials or private data.
The new warning to the millions upon millions of Android users who mistakenly believe they have secured their phones comes from Top10VPN, which just tested the “100 Most Popular Free Android VPN Apps in the Google Play Store… with between them 2.5 billion global installs,” it says, “to help you avoid using potentially unsafe free VPNs that compromise your privacy and security.”
Spoiler alert: virtually all of these VPNs are a privacy or security disaster, or both.
Just some of the issues mentioned in the report include:
- More than 10% of apps “suffered from encryption flaws, ranging from total exposure to internet activity to leaking details of websites visited.”
- Nearly 90% of apps “suffered some type of leak, including 17 VPNs that leaked more than DNS request data,” while more than 50% “showed signs of VPN tunnel instability.”
- Nearly 70% of apps “requested at least one privacy-risking permission, such as location tracking (20%) and scanning for installed apps (46%).”
- More than 80% of apps “included software development kits (SDKs) from marketing or social media platforms. 16 VPNs include 10 or more of these SDKs.”
- Nearly one in three apps abused permission requests and sought access to cameras or detailed location data that wasn’t necessary for the app’s core functionality.
- Nearly three-quarters of apps “shared personal data with third parties like Facebook, Yandex, and data brokers like Kochava, including device fingerprints (37 VPNs) IP addresses (23 VPNs) and unique tracking IDs (61 VPNs).”
- And most alarmingly, “nearly one in five (19%) of VPN apps tested were flagged as malware by antivirus scanners,” which is clearly the ultimate irony for a security app.
The sheer magnitude of the growth in VPN use makes these shortcomings critical; as Top10VPN notes, “the 100 most popular free Android VPNs had a total of around 260 million installs in 2018. Today that number is more than 2.5 billion.” A Forbes report shows that there are now 1.6 billion VPN users worldwide. And so it’s no surprise that Google has singled out these apps for special treatment through an accreditation that aims to assure users of an app’s legitimacy.
Here is the insured list; don’t go further from it.
Top10VPN conducted its own tests by installing each VPN “on very basic entry-level Samsung smartphones stripped of all but the most basic stock apps,” before running its tests.
“The results were alarming,” the report warns. “Significant numbers of these VPN apps are putting our privacy and security at risk due to serious encryption flaws and data breaches… Although it’s no surprise that most free VPN providers rely on advertising or monetizing their user data to cover costs and hopefully generate a revenue-generating profit, it is fundamentally at odds with the entire purpose of a VPN.”
Not a good look for Play Store. Simon Migliano, head of research at Top10VPN, told me that “Google doesn’t have a good track record when it comes to maintaining a high standard of VPN apps on the Play Store. I first started researching free Android VPNs in 2018 and the standard of apps has deteriorated even since then. It’s telling that 93% of free Android VPNs on the Play Store had misleading Data Safety labels, while Google could quite easily enforce its own rules and better protect consumers.”
I’ve reached out to Google for any comments on the report, which is a mind-boggling read given the status of this software appearing in the Play Store’s security aisle. But the details are less important than the takeaways. Don’t use free VPNs, stick to the accredited list and ideally use a well-known, reputable brand. There are cheaper or even almost free options, but the tradeoffs seriously hinder functionality.
If you don’t want to pay any fees, don’t worry about a VPN.
Unfortunately, it really is that simple.