- Researchers found security or privacy problems in free Android VPN apps tied to more than 2.4 billion installs.
- Some apps leaked DNS requests or browsing traffic, while four created VPN tunnels with no encryption.
- Many apps contacted advertising and tracking servers, and some shared device IDs, IP addresses or location data.
- The study names apps tied to specific issues, but readers should check package names and whether developers released fixes.
You open a free VPN app, tap “Connect” and see a reassuring green shield. That little icon can make public Wi-Fi feel much safer. However, a new study found that the shield may offer false confidence.
Researchers tested 281 popular free Android VPN apps from the Google Play Store. Many failed at the basic job you downloaded them to perform. Some leaked traffic outside the VPN tunnel. Others tracked phones or used weak security settings.
The apps flagged with at least one problem had collected more than 2.4 billion installs. Here is what the researchers uncovered and how to check whether the VPN on your phone appears in the paper.

Why free Android VPN apps can create false confidence
A VPN creates an encrypted tunnel between your phone and a VPN server. This can keep your internet provider or someone watching public Wi-Fi from seeing where your traffic goes. Yet every VPN involves trust. You move that trust from your internet provider to the company running the VPN. That company builds the app and selects the servers carrying your traffic. Poor code or weak settings can put your privacy at risk.
Researchers from the University of Michigan, the University of New Mexico and IIT Delhi built a system called MVPNalyzer to examine those risks. They presented their findings at the NDSS security conference earlier this year. The team describes MVPNalyzer as the first framework designed for repeated and systematic testing of Android VPN apps.
Tunnel hijacking can send VPN traffic to an attacker
The most alarming finding involved five apps that downloaded their VPN configuration files without encryption. A configuration file tells the app which server to contact. If that file travels in plain text, someone on the network can rewrite it before it reaches your phone.
Imagine connecting through airport Wi-Fi. An attacker intercepts the file and replaces the real VPN server address with one they control. Your app may still display its normal “connected” screen. Meanwhile, your internet traffic runs through the attacker’s server. The researchers recreated this attack on phones they controlled and confirmed that it worked.
The researchers notified all five providers. Two acknowledged the report and promised to switch to HTTPS with proper certificate checks. The other three had not responded when the researchers documented the disclosure. However, the researchers did not separately identify the five apps vulnerable to tunnel hijacking. Those apps appear somewhere within the paper’s broader list of 61 apps that transmitted unencrypted data.
Some free VPN apps fail to hide VPN use
A VPN can use obfuscation to make its traffic harder to identify. This can help when a school, workplace or government blocks VPN connections.
MVPNalyzer found that 169 apps could be recognized as VPNs through standard port checks, protocol detection or basic searches for “VPN” in network requests.
The researchers then examined how those apps described themselves on Google Play. They found that 110 claimed directly or indirectly that they could bypass blocking.
That creates added danger in countries where authorities monitor or restrict VPN use. You may download an app expecting protection while the network can easily detect that you are using a VPN.

Watch the latest episode of The CyberGuy Report.
Missed this event? Sign up via the registration form and see our live recording.
See Kurt’s latest Amazon picks for useful gadgets, smart home upgrades and everyday tech worth grabbing while the deals last.
Free Android VPN apps may track your phone
Many of you install a VPN because you want less tracking. Yet the researchers found advertising or tracking connections in more than 80% of the apps tested.
A total of 246 apps contacted known advertising and tracking addresses. Seventy-six transmitted the phone’s Advertising ID, which advertisers can use to recognize activity across apps.
The researchers also found that 38 apps sent the phone’s IP address. One transmitted precise geographic coordinates.
Many apps shared the phone model, Android version or screen details. Those pieces of information can be combined to create a device fingerprint.
Advertising may help pay for a free service. However, a VPN can handle nearly everything leaving your phone. That makes its tracking behavior especially important to examine.
Weak encryption can undermine VPN protection
The researchers also examined OpenVPN configuration files from 108 apps.
Only one followed every security practice measured by the study. The other 107 had at least one weak or unsafe setting.
Twenty apps used weak or outdated encryption options. These included Blowfish and triple DES, which have known security problems. A few configurations turned off data encryption entirely.
Meanwhile, 96 apps relied on only one form of authentication. The researchers also found missing protections designed to make attacks harder.
These settings sit deep inside the app. You cannot judge them from the logo, star rating or “military-grade encryption” language on a store page.
Google Play badges do not guarantee VPN security
Google’s Verified badge for VPN apps involves added requirements.
Eligible apps must meet Play Store safety rules and complete an independent Mobile Application Security Assessment. They also need a verified organization account and a completed Data Safety declaration.
Still, the MVPNalyzer researchers found serious problems in apps that you could easily discover through the store.
The study warns that privacy labels and verification badges may function more like marketing signals than complete security guarantees.
A badge can provide one useful clue. It cannot tell you how the app behaves during every connection or whether its server settings remain secure.

Which free Android VPN apps leaked traffic?
MVPNalyzer found traffic leaks in 29 of the tested apps. Twenty-four exposed DNS requests, six allowed browser traffic to travel outside the VPN tunnel and four carried traffic through tunnels with no encryption. Some apps appear in more than one group, so the subcategory totals add up to more than 29.
The paper names the apps tied to each type of leak in Table III. Appendix A, Table VI also lists every tested app for which MVPNalyzer found an issue involving unencrypted traffic, leakage, tracking, weak OpenVPN configurations or failure to disguise VPN traffic. However, it does not provide a separate master list of all 281 apps tested. Below are the 29 apps, organized by the type of leak researchers found.
Android VPN apps that leaked DNS requests
The study found DNS leaks in these 24 apps:
Java VPN, Noon VPN, AM TUNNEL LITE VPN, AM TUNNEL PRO, MahsaNG, GoFly VPN, Ostrich VPN, NewNode VPN, Cookie, Delight VPN, Phone Guardian, RoboProxy, Kylo Vpn, LVCHA VPN, XY VPN, Take Off, Tesla Proxy Pro, Global VPN, Air Net VPN, FoxoVPN, Bolt VPN, Free VPN, Siam VPN and Nine Tail VPN.
DNS requests can reveal which websites or online services your phone tries to reach. Together, these apps accounted for about 360 million installs.
Android VPN apps that leaked browser traffic
The researchers found six apps that allowed browser traffic to travel outside the VPN tunnel:
Java VPN, Noon VPN, NewNode VPN, Phone Guardian, Unicorn HTTPS and Free VPN.
The appendix identifies the Free VPN app in this category by the package name org.sanctuary.freeconnect.
Several of these apps also appeared in the DNS leak group.
Android VPN apps that used unencrypted tunnels
The study found four apps that carried browser traffic through a tunnel without encryption:
Geo Tunnel, Raytunnel, Rosa VPN and V2net.
The paper names more apps in other categories
Appendix A, Table VI also names apps connected to unencrypted data, detectable VPN traffic, Advertising ID transmission and weak OpenVPN configurations. An app’s appearance in one category does not mean it failed every test. For example, the obfuscation category measures whether a network can identify VPN traffic. It does not automatically mean the app leaked browsing traffic or used an unencrypted tunnel.
Important clarification: The appendix lists a Fast VPN app with the package name com.express.vpn.master.save.browser.fast.proxy. Despite the wording inside that package name, it is not the official ExpressVPN Android app. The official ExpressVPN package is com.expressvpn.vpn.
Note: The researchers collected Google Play search results and tested the app versions available during the study. An app may have since been updated, renamed or removed. Some apps use generic names, so compare the package name when the paper provides one.

Ways to stay safe when choosing an Android VPN
You cannot inspect a VPN tunnel by looking at its home screen. Still, several checks can help you avoid the riskiest choices.
1) Find out who owns the VPN app
Look for the company operating the VPN. You should be able to find a real company name, a clear privacy policy and working support information. Be cautious when several apps use similar designs but provide little information about who runs them. Hidden ownership makes accountability much harder.
2) Look for a recent independent security audit
Check whether a known independent firm has audited the VPN. Pay attention to when the audit happened and which parts of the service it covered. An audit of a company website says little about the Android app. A stronger review examines the mobile software and the provider’s server system. Also check whether the company published the findings and explained how it corrected any problems.
3) Review the VPN app’s permissions
A VPN needs network access to work. It may also need permission to send connection alerts. Access to your location or contacts deserves an explanation. The same applies to your microphone and photo library. On many Android phones, open Settings > Apps > select the VPN app > Permissions. Remove any access the app does not need.
4) Delete old VPN apps from your phone
Remove VPN apps you no longer use. An abandoned app can leave old software or unsafe settings on your device. You should also be careful with apps that have not received a recent update. A VPN requires ongoing maintenance as Android and online threats change.
5) Keep Android and your VPN updated
Turn on automatic app updates through the Google Play Store when possible. Also install Android security updates as they become available. Updates cannot repair a provider’s poor business practices. However, they can close known flaws and replace outdated security components.
6) Run an online VPN leak test
Online leak tests can show whether your VPN exposes your real IP address or DNS requests. Run a test before connecting and then repeat it after the VPN connects. These tests have limits. They may not uncover an unsafe configuration download or private data collected inside the app.
7) Check the MVPNalyzer appendix carefully
Open Appendix A, Table VI of the MVPNalyzer research paper. Search for the app’s display name and check every category. Next, compare the package name when the paper provides one. You can usually find an Android app’s package name inside the address of its Google Play listing. Then check whether the developer issued an update or published a response. Remove the app when you cannot determine whether the finding has been corrected.
8) Do not rely on download numbers alone
Millions of installs can make an app feel established. However, popularity shows how widely an app has spread. It cannot prove that the app protects your traffic.
Why we recommend ExpressVPN for Android
For the best VPN software, we recommend ExpressVPN. ExpressVPN has published results from independent security reviews since 2018. Those assessments have covered its mobile apps, Lightway protocol and TrustedServer system.
Outside firms have also examined its privacy policy and software-building process. This public audit history gives you more information to review than a vague security promise on an app store page.
ExpressVPN does not log your browsing history or traffic destinations. It also does not collect DNS requests, connection timestamps or session lengths.
No VPN can protect you from a phishing text, fake login page or infected download. Use a VPN alongside software updates, strong, unique passwords with a password manager, and two-factor authentication (2FA). Reputable antivirus software such as Norton Antivirus Plus can add another layer of protection.
ExpressVPN is the go-to choice for those who prioritize ultra-fast speeds, reliability, and top-tier security. With servers in 105 countries, ExpressVPN delivers blazing-fast performance for streaming, gaming, and secure browsing. It supports P2P file sharing, offers best-in-class encryption, and maintains a strict no-logs policy—with all servers running on RAM for enhanced privacy. You can connect up to 10 devices simultaneously, and setup takes under 2 minutes. Plus, with 24/7 live customer support and a 30-day money-back guarantee, ExpressVPN is a premium choice for security-focused users who want speed without compromise.
CyberGuy Exclusive ExpressVPN Deals:
✅ Save 75% – Get 3 months FREE with 12-month plan for $3.99/month. Try 30 days risk-free.
✅ Save 84% – Get 4 months FREE with 24-month plan for $2.49/month. Try 30 days risk-free.
Related Links:
- Why your VPN keeps getting blocked and the simple fix
- Can you be tracked when using a VPN?
- Tired of websites blocking your VPN? A dedicated IP fixes that
Kurt’s key takeaways
That green “connected” icon tells you the VPN started a connection. It cannot prove the app encrypted everything or sent your traffic to the right server. That, to me, is the scary part. You could use the app because you feel safer while the real problem stays completely hidden. The study gives you a place to start by naming the apps tied to its findings. However, check the package name and remember that the researchers tested versions available during an earlier period. Choose a VPN company that shows its work through published audits and clear ownership. A high download count or impressive store description should never be enough.
Would you keep a free VPN on your phone if its green “connected” screen could be hiding a leak or an attacker? Let us know in the comments below.
FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2026 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
