Study finds 281 Android VPN apps leak user data
University of Michigan researchers built a tool exposing DNS leaks, tracking, and weak encryption
Sixty-one of 281 popular Android VPN apps transmitted user data without encryption across more than 10,000 observed traffic flows, according to a new study from the University of Michigan and the University of New Mexico.
The team built a framework called MVPNalyzer to audit free VPN apps pulled from Google Play Store search results and its VPN Proxy & Tools category.
Launched at the NDSS 2026 Symposium held in February, the tool analyses network traffic, configuration files, and device data on multiple levels, which, according to scientists, is usually not detected during manual analysis. The applications identified during the investigation have a total number of installs in excess of 2.4 billion.
The twenty-nine apps under investigation have leaked all traffic without any encryption through the encrypted VPN tunnel, thereby violating their main purpose. Out of these, twenty-four applications have leaked the information about the user's browsing habits via DNS requests, and six applications leaked browser traffic.
There were five applications that transferred configuration files of the applications over an unencrypted connection; scientists successfully demonstrated that such an attack could lead to stealing the file and redirection of the user to a malicious server.
In addition to traffic leaks, 246 apps communicated with ad and tracking servers, while 76 apps sent out Android advertising IDs that allow continuous tracking throughout different apps.
Other types of data collected by many apps included device models, operating system versions, screen details, and IP addresses – details which can all be used for creating a device fingerprint. The quality of configurations was just as poor; out of 108 apps that had OpenVPN configurations, only one satisfied all the best security practices outlined by the researchers.
The authors claim that their results indicate a necessity for stricter regulation of apps in the Play Store and continuous audit of the respective VPN companies.
-
Apple sues OpenAI over alleged trade secret theft
-
Apple takes OpenAI to court over alleged hardware trade secret theft
-
Meta scraps AI image feature after privacy backlash
-
Meta AI detector fails to spot its own cropped images
-
Leak reveals iPhone Ultra's foldable battery capacity
-
End of private chats? Inside Europe's Chat Control 1.0 controversial push
-
UK puts Microsoft, Google, Amazon, Oracle under new oversight: Here’s why
-
EU orders Instagram, Facebook to change addictive design or face fines