What the Study Found
Researchers from the University of Michigan, the University of New Mexico, and IIT Delhi analyzed 281 of the most popular free Android VPN apps on the Google Play Store using a new testing framework called MVPNalyzer. The results reveal widespread failures in basic security and privacy protections. Of the apps tested, 29 allowed user traffic to leak outside the encrypted tunnel, exposing DNS lookups and browsing activity. A total of 61 apps transmitted some data in plain text, making it readable by anyone monitoring the network.
The most serious finding involved five apps that downloaded their configuration files without encryption. An attacker on the same network could intercept and modify these files, redirecting the user’s VPN connection to a server under their control. The researchers confirmed this tunnel hijacking attack worked on phones they controlled. Two of the five affected providers promised to switch to HTTPS for configuration delivery, while the others did not acknowledge the issue.
Tracking and Weak Configurations
Despite users installing VPNs to avoid tracking, 76 apps transmitted the device’s Advertising ID, and more than 80 percent contacted known advertising and tracking servers. Many apps collected phone model, operating system version, and screen size data that could uniquely fingerprint a device. One app even sent the phone’s exact GPS coordinates. Of the 108 apps that used OpenVPN configuration files, only one followed all security best practices. Nearly one in five used weak or outdated encryption such as Blowfish or triple DES, which have known vulnerabilities (CVE-2016-6329 and CVE-2016-2183) that could allow attackers to recover data from long running connections.
The researchers presented their findings at the NDSS security conference in February 2026. They plan to release the MVPNalyzer framework publicly so app stores and regulators can conduct their own audits.
Source: The Hacker News
