281 Android VPN Apps Leak Traffic, Send Data Unencrypted
University researchers found critical security flaws in 281 popular Google Play VPN apps with 2.4 billion installs. 29 apps leak DNS queries, 61 transmit data in cleartext.
Security researchers tested 281 popular free VPN apps from Google Play and found widespread privacy violations—from DNS leaks to completely unencrypted data transmission. The problematic apps have been installed over 2.4 billion times, and many continue to operate with fundamental security flaws that expose the very traffic users expect them to protect.
The study, presented at the NDSS security conference in February 2026 by researchers from the University of Michigan, University of New Mexico, and IIT Delhi, used a custom framework called MVPNalyzer to audit Android VPN apps across network layers.
What the Research Found
The findings read like a catalog of VPN security failures:
Traffic Leaks (29 apps): Nearly one in ten apps leaked user traffic outside the encrypted VPN tunnel. 24 apps exposed DNS queries—revealing which websites users visited to network observers—affecting apps with a combined 360 million installs. Six apps leaked browser traffic via visible TLS SNI fields, and four tunneled data over unencrypted transport protocols entirely.
Cleartext Transmission (61 apps): More than 20% of tested apps transmitted some data without encryption. Researchers observed 10,552 unencrypted data flows including web content, JavaScript files, JSON payloads, and VPN-related configuration resources.
Tunnel Hijacking (5 apps): Five apps—BambooVPN, VPN Pro, Free VPN, Hexa VPN, and 101 VPN—downloaded configuration files without encryption. This allows attackers on public WiFi to modify the config file in transit and redirect victims to attacker-controlled VPN servers, completely compromising the security promise.
Weak Cryptography (108 apps): Nearly 20% used outdated ciphers like Blowfish and triple DES, algorithms that have been deprecated for years due to known weaknesses.
Tracking and Privacy Violations
The privacy problems extend beyond technical leaks. Researchers found 246 apps (over 80%) contacted advertising or tracking URLs, undermining user expectations that a VPN would improve their privacy.
Specific concerns included:
- 76 apps transmitted Android Advertising IDs, enabling persistent cross-app tracking
- One app transmitted GPS coordinates alongside device identifiers
- Many apps made tracking calls even before users completed setup or agreed to terms
Why Free VPNs Fail
The economics explain the pattern. Free VPN services need revenue, and when users don't pay, advertisers fill the gap. The tracking infrastructure required to monetize users often conflicts directly with the privacy protections users expect.
Organizations looking for VPN solutions should treat these findings as a warning about the broader landscape. If you're recommending VPN apps to employees for travel or remote work, the "free" options carry significant security debt.
The research also found that Google Play's verification processes do nothing to catch these issues. Apps with fundamental encryption failures passed Google's checks and accumulated millions of downloads without correction.
Recommendations for Users
- Favor paid VPN providers with recent independent security audits and transparent ownership
- Avoid free apps heavy with advertisements—the business model requires privacy compromises
- Check for DNS leak protection specifically; it's the most common failure mode
- Treat "verified" badges as starting points, not proof of security
- Consider enterprise-managed VPN solutions if protecting organizational data
For organizations managing mobile device policies, the safest approach is deploying a vetted VPN client through MDM rather than allowing employees to choose their own. The 2.4 billion installs across these problematic apps show how common poor choices are.
This research joins a growing body of evidence that Android security gaps persist despite platform improvements. When core privacy tools like VPNs can't be trusted, users face difficult tradeoffs between convenience and actual security.
Frequently Asked Questions
Which specific VPN apps are dangerous? The researchers identified BambooVPN, VPN Pro, Free VPN, Hexa VPN, and 101 VPN as having the critical tunnel hijacking flaw. The full list of apps with various issues spans 281 apps and hasn't been fully published.
Should I stop using free VPNs entirely? If you're using a free VPN for genuine privacy protection, yes. The research shows most free VPNs either leak data, use weak encryption, or monetize through tracking—often all three. Paid services with audits from firms like Cure53 or Trail of Bits are safer choices.
Related Articles
Bad Epoll: Linux Kernel Flaw Grants Root on Servers and Android
CVE-2026-46242 exploits a use-after-free race in Linux epoll, giving unprivileged users root access with 99% reliability. Servers and Android devices at risk.
Jul 4, 2026Qilin Ransomware Exploits Check Point VPN Zero-Day Since Early May
CVE-2026-50751 allows unauthenticated VPN access via IKEv1 certificate validation flaw. CISA gave federal agencies three days to patch after linking attacks to ransomware affiliate.
Jun 24, 2026Check Point VPN PoC Drops as Exploitation Intensifies
WatchTowr Labs published technical details and exploit code for CVE-2026-50751, the auth bypass flaw already used by Qilin ransomware. TCP 443 bypass works too.
Jun 13, 2026CISA Orders 3-Day Patch for Android and Linux Flaws Under Attack
Federal agencies face June 5 deadline to remediate CVE-2025-48595 and CVE-2022-0492 after CISA confirms active exploitation. Linux container escapes and Android privilege escalation at risk.
Jun 3, 2026