A new study of 281 free Android VPN apps found widespread security flaws, including five apps vulnerable to traffic hijacking despite billions of downloads worldwide.

Free VPN Applications Expose Billions To Severe Cyber Threats

The420 Web Correspondent
5 Min Read

A new academic study has found that many of the most popular free VPN applications on the Google Play Store, collectively downloaded more than 2.4 billion times, fail at the basic task users download them for: keeping internet traffic private and secure. The research, led by teams from the University of Michigan, the University of New Mexico and IIT Delhi, is particularly relevant for India, one of the world’s largest VPN markets given the frequency with which citizens turn to such apps to access blocked content or secure connections on public Wi-Fi.

A New Tool Built to Catch What Users Cannot See

The researchers built MVPNalyzer, described as the first framework designed for systematic, repeatable audits of mobile VPN apps at scale, extending an earlier desktop-focused tool called VPNalyzer developed by the same lab. Presented at the Network and Distributed System Security Symposium in February 2026 and funded by the US National Science Foundation, the framework tested 281 of the most popular free, general-purpose VPN apps available on the Play Store, running each on Android 14 devices while analysing network behaviour, encryption practices and communication with third-party services.

Roya Ensafi, an associate professor at the University of Michigan and the study’s senior author, said the motivation stemmed from seeing how heavily people rely on VPNs for privacy while many apps fail to uphold even basic protections, adding that the goal was to let users, regulators and researchers see what is actually happening under the hood.

What the Numbers Reveal

The findings paint a troubling picture of the free VPN ecosystem. Twenty-nine apps were found to leak internet traffic outside their encrypted tunnels, including DNS requests that reveal exactly which websites a user visits, defeating the fundamental purpose of using a VPN in the first place. A further 61 apps transmitted certain data in plain text, while four operated their tunnels without any encryption whatsoever, an almost complete failure of the core security promise VPNs are built around.

The most serious finding involved five apps, BambooVPN, VPN Pro, Free VPN, Hexa VPN and 101 VPN, which downloaded their server configuration files without encryption. Because these files determine which server a device connects to, an attacker on the same network, particularly on public Wi-Fi, could intercept and silently modify them to redirect a user’s traffic to a malicious server, all while the app continued to display a normal “connected” status. When researchers disclosed the flaw, responses were inconsistent: VPN Pro and Hexa VPN have since fixed the issue, while BambooVPN, Free VPN and 101 VPN reportedly remain vulnerable to tunnel hijacking even after disclosure.

The Business Model Behind “Free”

The study also examined why so many free VPNs fall short, tracing it back to the economics of running server infrastructure without subscription revenue. Researchers found 76 apps transmitted advertising identifiers, and more than 80 per cent contacted known advertising or tracking servers, suggesting user activity is frequently monetised even when an app’s marketing promises privacy.

A researcher at Algoritha Security said VPN security depends as much on how securely an application is designed and maintained as on its encryption standard, warning that a poorly implemented VPN creates a dangerous illusion of protection for users conducting sensitive tasks such as online banking or accessing workplace systems. That risk extends into corporate settings too, where employees using insecure consumer VPNs to reach office systems can inadvertently expose entire organisational networks to credential theft or ransomware entry points.

What Users Should Check Before Trusting an App

The findings echo earlier 2025 research from Citizen Lab, Arizona State University and mobile security firm Zimperium, which separately identified hidden ownership structures, excessive data collection and outdated encryption libraries across popular Android VPN apps, suggesting these are systemic rather than isolated engineering failures.

Cybersecurity experts recommend choosing VPN providers with transparent privacy policies, independent security audits and clearly published no-log claims, treating such labels as a starting point for verification rather than proof in themselves. For Indian users, who turn to VPNs more frequently than most global counterparts, the researchers’ underlying message is straightforward: installing a VPN shifts trust from an internet provider to whoever built the app, and that trust is worth scrutinising before, not after, sensitive data is transmitted.

Stay Connected