PROBABLYPWNED
VulnerabilitiesJuly 13, 20264 min read

281 Android VPN Apps Leak Traffic, Send Data Unencrypted

University researchers found critical security flaws in 281 popular Google Play VPN apps with 2.4 billion installs. 29 apps leak DNS queries, 61 transmit data in cleartext.

Marcus Chen

Security researchers tested 281 popular free VPN apps from Google Play and found widespread privacy violations—from DNS leaks to completely unencrypted data transmission. The problematic apps have been installed over 2.4 billion times, and many continue to operate with fundamental security flaws that expose the very traffic users expect them to protect.

The study, presented at the NDSS security conference in February 2026 by researchers from the University of Michigan, University of New Mexico, and IIT Delhi, used a custom framework called MVPNalyzer to audit Android VPN apps across network layers.

What the Research Found

The findings read like a catalog of VPN security failures:

Traffic Leaks (29 apps): Nearly one in ten apps leaked user traffic outside the encrypted VPN tunnel. 24 apps exposed DNS queries—revealing which websites users visited to network observers—affecting apps with a combined 360 million installs. Six apps leaked browser traffic via visible TLS SNI fields, and four tunneled data over unencrypted transport protocols entirely.

Cleartext Transmission (61 apps): More than 20% of tested apps transmitted some data without encryption. Researchers observed 10,552 unencrypted data flows including web content, JavaScript files, JSON payloads, and VPN-related configuration resources.

Tunnel Hijacking (5 apps): Five apps—BambooVPN, VPN Pro, Free VPN, Hexa VPN, and 101 VPN—downloaded configuration files without encryption. This allows attackers on public WiFi to modify the config file in transit and redirect victims to attacker-controlled VPN servers, completely compromising the security promise.

Weak Cryptography (108 apps): Nearly 20% used outdated ciphers like Blowfish and triple DES, algorithms that have been deprecated for years due to known weaknesses.

Tracking and Privacy Violations

The privacy problems extend beyond technical leaks. Researchers found 246 apps (over 80%) contacted advertising or tracking URLs, undermining user expectations that a VPN would improve their privacy.

Specific concerns included:

  • 76 apps transmitted Android Advertising IDs, enabling persistent cross-app tracking
  • One app transmitted GPS coordinates alongside device identifiers
  • Many apps made tracking calls even before users completed setup or agreed to terms

Why Free VPNs Fail

The economics explain the pattern. Free VPN services need revenue, and when users don't pay, advertisers fill the gap. The tracking infrastructure required to monetize users often conflicts directly with the privacy protections users expect.

Organizations looking for VPN solutions should treat these findings as a warning about the broader landscape. If you're recommending VPN apps to employees for travel or remote work, the "free" options carry significant security debt.

The research also found that Google Play's verification processes do nothing to catch these issues. Apps with fundamental encryption failures passed Google's checks and accumulated millions of downloads without correction.

Recommendations for Users

  1. Favor paid VPN providers with recent independent security audits and transparent ownership
  2. Avoid free apps heavy with advertisements—the business model requires privacy compromises
  3. Check for DNS leak protection specifically; it's the most common failure mode
  4. Treat "verified" badges as starting points, not proof of security
  5. Consider enterprise-managed VPN solutions if protecting organizational data

For organizations managing mobile device policies, the safest approach is deploying a vetted VPN client through MDM rather than allowing employees to choose their own. The 2.4 billion installs across these problematic apps show how common poor choices are.

This research joins a growing body of evidence that Android security gaps persist despite platform improvements. When core privacy tools like VPNs can't be trusted, users face difficult tradeoffs between convenience and actual security.

Frequently Asked Questions

Which specific VPN apps are dangerous? The researchers identified BambooVPN, VPN Pro, Free VPN, Hexa VPN, and 101 VPN as having the critical tunnel hijacking flaw. The full list of apps with various issues spans 281 apps and hasn't been fully published.

Should I stop using free VPNs entirely? If you're using a free VPN for genuine privacy protection, yes. The research shows most free VPNs either leak data, use weak encryption, or monetize through tracking—often all three. Paid services with audits from firms like Cure53 or Trail of Bits are safer choices.

Related Articles