Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking
Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking
https://thehackernews.com/2026/07/study-of-281-free-android-vpn-apps.html
Publish Date: 2026-07-10 06:56:00
Source Domain: thehackernews.com
Researchers ran 281 of the most popular free VPN apps on the Google Play Store through a new testing system and found that many fail at the basics people install a VPN for, i.e., keeping their traffic private and secure.
The apps flagged with at least one problem have been installed more than 2.4 billion times.
The problems are basic, not sophisticated. 29 apps let user traffic leak outside the encrypted tunnel, including the DNS lookups that reveal which websites you visit. 61 apps send some data in plain text that anyone watching the traffic on that network can read.
Five of those send the app’s configuration file in the clear, which lets an attacker on the network redirect the connection to a server they control.
The system, called MVPNalyzer, was presented at the NDSS security conference in February 2026 by researchers at the University of Michigan, the University of New Mexico, and IIT Delhi.
It is a mobile counterpart to the same lab’s earlier VPNalyzer study of desktop VPN software, and the researchers describe it as the first framework built to systematically and repeatedly audit Android VPN apps.
A VPN wraps your traffic in an encrypted tunnel so your internet provider, or an eavesdropper on the network, cannot see what you are doing. The trade-off is that the VPN app now sees all of it. You are not removing the need to trust someone. You are moving that trust from your internet provider to whoever built the app.
The study asks whether these apps earn it. For many, they do not.
The most serious flaw: tunnel hijacking
The worst finding involves those five apps that download their configuration file without encryption. That file tells the app which server to connect to. If it travels in plain text, an attacker on the same network, say a public Wi-Fi operator, can rewrite it in transit and point the app at a server they control.
![]() |
| Architecture of the MVPNalyzer framework |
The user connects, sees the usual “connected” screen, and routes everything…
