A new security study has found serious privacy and security issues in 281 popular Android VPN applications available on the Google Play Store.
Researchers discovered that dozens of these apps transfer data without encryption, leak user traffic outside the VPN tunnel, and send device identifiers to advertising and tracking services.
The research team from multiple universities developed a framework called MVPNalyzer to test how Android VPN apps handle network traffic, configuration files, and user data. VPN apps hold a privileged position on smartphones because they can intercept and route traffic from other applications.

Users often install them to avoid surveillance, bypass censorship, or protect activity on untrusted Wi-Fi networks. However, the study shows that many apps fail to provide even basic protections.
Google Play VPN Apps Exposed
Researchers tested 281 operational free VPN apps collected from Google Play search results and the VPN Proxy & Tools category.
The affected applications collectively account for billions of installs, showing that insecure VPN behavior can affect a very large number of users.

The most concerning issue involved unencrypted communications. The study found 61 VPN apps transmitting cleartext data through 10,552 observed flows.
This data included web content, JavaScript, JSON files, and VPN-related resources. A network attacker positioned between a user and the internet connection could potentially read or alter this traffic.
Five apps transferred VPN configuration files over unencrypted connections. These files tell a client how to connect to a VPN server.
If an attacker modifies a configuration file while it is in transit, they could redirect the victim to an attacker-controlled VPN server and potentially intercept their internet traffic.
According to the NDSS Symposium report, researchers demonstrated tunnel hijacking on controlled devices and found traffic leakage issues in 29 VPN apps.
Twenty-four applications leaked DNS requests outside the encrypted tunnel, exposing the domains a user attempted to visit. Six apps leaked browser traffic, while four used unencrypted tunnels that exposed visited domains in network packets.
Such failures undermine the main purpose of a VPN, which is to prevent local networks, internet providers, and other on-path observers from seeing user activity.
Privacy concerns were also widespread. The researchers identified 246 apps that contacted advertising or tracking URLs. In addition, 76 apps transmitted Android Advertising IDs, which can be used for persistent cross-app tracking.
Many apps also exposed device details such as model, operating system version, API level, language, screen information, country, and IP address. Combined, these details can help advertisers build a device fingerprint.
The study also identified weak VPN configuration practices. Of 108 apps containing OpenVPN configuration files, only one met all evaluated security best practices.
The remaining 107 showed at least one issue, including weak cryptography, weak authentication, outdated directives, or missing hardening settings designed to prevent server impersonation and control-channel attacks.
Users should treat free VPN services cautiously, especially when they make strong privacy or censorship-bypass claims. Before installing a VPN, users should review its developer reputation, privacy policy, independent audits, and history of security updates.
The findings also highlight the need for stronger app-store enforcement and ongoing independent auditing of mobile VPN providers.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide
The post 281 Popular VPN Apps from the Google Play Store Leak Sensitive Data, Transfer Data Unencrypted appeared first on Cyber Security News.

