Research into 18 popular free Android VPN apps on the Google Play Store found that most of them weakened user privacy instead of protecting it. Using static analysis with MobSF, researchers reported that 17 of the 18 apps contained at least one embedded tracker, averaging nearly five trackers per app, while many also requested permissions far beyond what a VPN typically needs, including access to sensitive device features such as the camera, microphone, and location.
The findings flagged apps including FreeVPN, VPN Proxy Master, Turbo VPN, VPN 360, and Secure VPN as particularly concerning because they combined extensive tracking, dangerous permissions, and hardcoded connections to infrastructure in jurisdictions such as China and Russia. Researchers said many of the services appear to operate more like data collection and advertising platforms than genuine privacy tools, exposing users to surveillance and other security risks and reinforcing advice to scrutinize app permissions and favor more transparent alternatives.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Researchers reported that several apps used hardcoded connections to servers in jurisdictions such as China and Russia, raising surveillance and privacy concerns. The report concluded that many free VPNs operate more as data collection and advertising platforms than genuine privacy tools.
The analysis found that 17 of 18 apps contained at least one tracker, averaging nearly five trackers per app, and that several requested permissions beyond what a VPN typically needs, including access to sensitive device features. Apps including FreeVPN, VPN Proxy Master, Turbo VPN, VPN 360, and Secure VPN were highlighted as especially concerning.
Mysterium VPN conducted a static analysis of 18 popular free Android VPN apps from the Google Play Store using MobSF to assess their privacy and security behavior. The study examined embedded trackers, requested permissions, and hardcoded network infrastructure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.