An academic study of 281 popular free Android VPN apps on Google Play found widespread privacy and security failures affecting apps with more than 2.4 billion installs. Researchers from the University of Michigan, the University of New Mexico, and IIT Delhi used the MVPNalyzer framework to identify traffic escaping VPN tunnels, plaintext transmission of sensitive data, weak or missing encryption, and extensive contact with advertising and tracking services. The study reported 61 apps with unencrypted data flows, 29 with traffic leakage issues, and 246 that communicated with ad or tracking URLs.
The most severe finding affected five apps that downloaded VPN configuration files without encryption, creating a path for an attacker on the same network to hijack the tunnel and redirect users to attacker-controlled VPN servers. Researchers also found weak OpenVPN configuration practices in 107 of 108 apps containing configuration files and said many apps showed poor resistance to censorship or VPN detection. Presented at NDSS 2026, the research argued that Google Play trust signals, including safety labels and the VPN "Verified" badge, do not reliably reflect the actual security of Android VPN apps.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Researchers from the University of Michigan, the University of New Mexico, and IIT Delhi presented the study and its findings at NDSS 2026. They also argued that Google Play trust signals such as safety labels and the VPN "Verified" badge do not reliably indicate actual app security.
The most severe issue affected five apps that fetched configuration files without encryption, allowing an attacker on the same network to redirect users to attacker-controlled VPN servers. The study also found weak OpenVPN configuration practices in 107 of 108 apps containing configuration files.
The study found broad security and privacy failures across the tested apps, including traffic leaking outside VPN tunnels, plaintext transmission of sensitive data, weak or absent encryption, and extensive contact with advertising or tracking services. Reported counts included 61 apps with unencrypted data flows, 29 with traffic leakage issues, and 246 contacting ad or tracking URLs.
A 2026 academic study used the MVPNalyzer framework to systematically test 281 popular free Android VPN apps from the Google Play Store for privacy and security weaknesses. The researchers described MVPNalyzer as the first framework for systematic, repeatable auditing of Android VPN apps.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cryptika.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.