Home Security Not all Android VPNs protect users' privacy
Not all Android VPNs protect users' privacy Featured

A new research paper has discovered that 38% of free virtual private network (VPN) software has malware and 84% leak users' traffic in complete disregard of the users' privacy they should be protecting.

Mohamed Ali Kaafar, principal researcher in online privacy and security at Australia’s CSIRO's Data61, co-authored the paper with researchers from UNSW, ICSI, and UC Berkeley. Researchers tested 238 Android apps from Google Play and revealed that many free VPNs are thinly disguised malware, adware, data stealers and that users don’t really know or care – the lure of a free VPN is enough to attract users.

It found that most apps simply call Android’s built-in BIND_VPN_SERVICE that allows it to intercept and take full control of a user’s traffic. Malicious app developers can abuse the call to harvest users’ personal information.

The paper is here – below is a summary of its findings.

These include:

  • 75% of such VPN apps use third-party tracking libraries (they know what websites you visit or search terms used etc.).
  • 82% request permissions to access sensitive resources including user accounts, text messages, contacts, calendar, emails and system logs – they are VPN honeypots to trap user data.
  • 38% contain malware.
  • 18% do not use the terminating VPN server entity.
  • 16% forward traffic through other participating users in a peer-forwarding fashion rather than using machines hosted in the cloud. This forwarding model raises trust, security, and privacy concerns.
  • 4% use the VPN permissions to implement localhost proxies to intercept and inspect user traffic locally.
  • 18% implement unencrypted tunnelling protocols despite promising online anonymity and security.
  • 84% and 66% respectively do not tunnel IPv6 and DNS traffic through the tunnel interface opening users up to man-in-the-middle Wi-Fi attacks.
  • 16% modify users' HTTP traffic by injecting and removing headers or performing techniques such as image transcoding e.g. injecting JavaScript code for advertisement and tracking purposes or redirects e-commerce traffic to external advertising partners.
  • Four compromise users’ root-store and actively perform in-flight TLS interception. Some of these apps claim traffic acceleration services and selectively intercept traffic to specific online services like social networks, banking, e-commerce sites, email and IM services and analytics services.

The report casts serious doubt on the intent and validity of most free VPN apps as nothing more than a claimed panacea – it says that from 2011 to 2013 free VPN apps skyrocketed tenfold. The apps are mostly identified as VPNs but can also be called traffic optimisers, communications tools, traffic filters or even Tor clients. Many offer in-app purchases (to premium versions or third party apps) a feature of most freemium apps.

The report concludes:

The increasing number of popular VPN apps available on Google Play and the apparent lack of user awareness of the security and privacy risks associated with the VPN permission indicate the need to analyse in depth this unexplored type of mobile app. The average mobile user rates VPN apps positively even when they have malware presence. Only a handful of users has raised any type of security and privacy concern in their reviews.

Researchers contacted and shared findings with the app developers:

  • Apps with: JavaScript injection, traffic redirection, ad-blocking and tracker-blocking, exogenous flow, peer-forwarding user traffic, and TLS interception.
  • Apps requesting sensitive permissions, apps that are negatively reviewed by users, and the ones with embedded third-party tracking libraries.
  • Apps possibly containing malware in their APKs.

The developers' poor responses are in Section 5.5 of the report. Of the 238 free apps none appeared to receive a completely clean bill of health.

VPN not




With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!


Popular News




Sponsored News