Hundreds of free VPN apps are not fit for purpose - but sadly, we can't tell you which are the naughty ones

Cybersecurity ensures data protection on internet. Data encryption, firewall, encrypted network, VPN, secure access and authentication defend against malware, hacking, cyber crime and digital threat
(Image credit: Shutterstock)

  • Many free VPNs act like spyware, collecting sensitive user information
  • Several apps misuse permissions, turning privacy tools into tracking systems
  • VPN developers often justify excessive access with misleading security explanations

The growing popularity of free VPN apps has provided mobile users with an easy path to privacy - however, new evidence also suggests many of these apps may be doing the opposite of what they promise.

Research from Zimperium zLabs has claimed a large portion of free VPNs for Android and iOS request excessive permissions, use outdated code, and may expose users to surveillance-level risks.

Despite the scale of the findings, the report did not disclose which apps were involved, leaving users to rely on their own caution when choosing what they believe to be the best free VPN service.

When privacy tools become surveillance risks

A VPN app is supposed to encrypt and protect network traffic, but many of those analyzed show behaviors that contradict this purpose.

Some request Android’s “READ_LOGS” permission, which allows them to view system-wide activity, potentially giving them access to usernames, passwords, and personal messages.

This ability effectively turns them into spyware, capable of keylogging and avoiding mobile threat detection.

Others seek iOS permissions such as “LOCATION_ALWAYS,” granting 24-hour GPS tracking that enables continuous surveillance of a user’s movements.

These permissions, which have no legitimate use in a VPN, can be combined with traffic data to create detailed profiles of a person’s online and offline habits.

Zimperium’s analysis found many cases where free VPN apps requested “private entitlements,” which allow deep access to a device’s operating system.

Such privileges can let an app run code, extract sensitive data, or gain control over the device, creating serious privacy and security risks.

Some apps also use outdated OpenSSL libraries still vulnerable to the Heartbleed bug from 2014, showing that many developers are neglecting even basic patching standards.

Others fail to validate certificates properly, exposing users to man-in-the-middle attacks that allow interception of supposedly secure traffic.

Researchers also found VPN apps requesting permissions like “USE_LOCAL_NETWORK.”

This allows them to map nearby devices on a Wi-Fi network, a function better suited to malware than security software.

Developers sometimes justify such access by claiming it improves “connection troubleshooting,” yet in practice, it allows device scanning and network reconnaissance.

Several apps can even capture screenshots, exposing user data that is visible on the screen.

With hundreds of VPNs found to present such risks, the difference between secure and unsafe tools becomes critical.

Unfortunately, Zimperium declined to share the list of these VPNs, therefore, users must approach free VPNs with skepticism.

Also, they should favor providers that undergo independent audits, clearly disclose their privacy policies, and avoid intrusive permissions.


Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.