Free Android VPNs Are Leaking Your Traffic, Study of 281 Apps Finds

Researchers tested the most popular free VPN apps on Google Play. Many fail at the one job they promise: keeping your internet activity private.

ThreatVectr Newsdesk· 3 min read
Full-frame overhead photoreal shot of an Android smartphone on a wooden cafe table, screen glowing with a generic VPN connection interface, faint reflection of
Share

Key points

  • Researchers tested 281 of the most-installed free VPN apps on the Google Play Store and found widespread privacy failures.
  • The flagged apps have been installed more than 2.4 billion times between them.
  • 29 apps allowed user traffic to leak outside the encrypted tunnel entirely.
  • The problems are basic misconfigurations, not sophisticated attacks, and undermine the core reason people install a VPN.

A new study of free Android VPN apps has found that many of the most popular ones fail at the basic job they advertise. That job is simple: hide your internet traffic from anyone watching, and keep it encrypted end to end.

A VPN, short for virtual private network, is meant to route your phone's internet activity through a secure tunnel so your internet provider, your employer's Wi-Fi, or a snoop on a coffee-shop network cannot see what you are doing. People install them for privacy, for streaming, and sometimes to get around censorship.

The researchers ran 281 of the most-downloaded free VPN apps on Google Play through an automated testing system. The findings, first reported by The Hacker News, are not pretty.

Should you stop using your free VPN?

If it is on the flagged list, yes, at least until the developer fixes it. The apps that failed the tests have been installed a combined 2.4 billion times, which gives a sense of how many phones are affected.

The problems are not exotic. They are the kind of mistakes a competent developer should catch before shipping.

29 of the apps let user traffic leak outside the encrypted tunnel altogether. That means the traffic the app promised to hide was travelling in the clear, visible to anyone in a position to look, such as an internet provider or the operator of a public Wi-Fi network.

Other apps in the study sent data without proper encryption, or bundled tracking code that quietly reported user activity back to third parties. In other words, some of these VPNs were doing the opposite of what their users installed them to do.

Why free VPNs so often fail

Running a VPN service costs real money. Servers, bandwidth, and staff to keep the thing running are not free. If the user is not paying, something else has to fund the operation.

That something is usually advertising, data collection, or both. Free VPN apps have a long history of embedding tracking libraries, selling aggregated browsing data, or cutting corners on the encryption itself to save on server costs.

This is not a new pattern. Academic studies going back years have repeatedly found that a large share of free Android VPNs contain tracking code, request excessive permissions, or ship with weak or broken encryption. The new study confirms the pattern has not gone away.

What ordinary users should do

A few practical steps, no panic required.

First, check whether your VPN app is one of the flagged ones when the researchers publish the full list. If it is, uninstall it.

Second, be sceptical of any VPN that is completely free with no paid tier. A reputable provider will usually have a clear business model that does not depend on your data.

Third, remember that a VPN is not a magic shield. It hides your traffic from the network you are on, but it does not stop phishing, malware, or a shady app you have already granted permissions to.

If you genuinely need a VPN for privacy, a paid service from a company with a published independent audit is a safer bet than a free app you found by searching the Play Store.

Google has not yet said whether it will remove the flagged apps. Play Store policy does require apps that use the VPN service to be transparent about data handling, and repeated academic findings like this one tend to prompt at least some enforcement action.

© 2026 Threat Vectr