Security flaws found in top free VPN Android apps

VPN

Android users looking for free VPN apps in the Google Play Store may want to think twice after new research from Metrics Lab has revealed that one in five of the top 150 free VPN apps could be a potential source of malware while a quarter of the apps contain privacy breaking bugs such as DNS leaks.

The company's Head of Research Simon Migliano made the discovery and found that these Android VPN apps have already been installed 260m times according to Google.

Metrics Lab, which is behind the Top10VPN service, has organised and published its findings in the form of a risk index with the aim of helping Android users understand the privacy risks they are exposing themselves to when installing a free VPN.

Of the top 150 free VPNs, 27 apps were flagged as a potential source of malware after being tested using the utility VirusTotal.

DNS leak

Additionally 25 per cent of the top 150 free VPNs on the Google Play Store were affected by a DNS leak security issue which Migliano explained further in a blog post, saying: 

“This security flaw occurs when a VPN fails to force DNS requests through its encrypted tunnel to its own DNS servers and instead permits the DNS requests to be made directly to the default ISP DNS servers. Even though the rest of a user’s traffic is concealed, such a leak exposes a user’s browsing history to their ISP and any third-party DNS server operator that it may use.”

The firm also discovered that some free VPNs were asking users for highly intrusive permissions with 25 per cent of apps asking to access a user's location, 38 per cent tried to access device status information and 57 per cent included code to retrieve a user's last known location.

While a free VPN may sound enticing at first, there will always be some kind of tradeoff and we highly recommend researching any VPN extensively before installing it on your devices.

Via Bleeping Computer