Most free Android VPNs track users, request dangerous permissions, and connect to risky servers, privacy comes at a hidden cost.

Free VPN apps are some of the most popular downloads on Android, promising privacy at no cost. But the reality is far from what they advertise. Most users tap “install” without a second thought, unaware that many of these apps collect and share personal data rather than protecting it. Mysterium VPN’s research provides concrete evidence of the risks hidden inside free VPNs, revealing how they operate behind the scenes and why “free” often comes with a high price for your privacy.

The research focused on 18 of the most popular free Android VPN apps from the Google Play Store. Each app was analyzed using MobSF, an open-source mobile security framework. This static analysis examined four main areas: the permissions requested by the app, any embedded third-party trackers, hardcoded network endpoints, and developer or third-party email addresses within the code. While static analysis cannot reveal real-time activity, the presence of these elements alone shows what the app is capable of and the potential dangers to users.

A major finding is the sheer number of embedded trackers. Trackers are pieces of software that collect data on user behavior, often for advertising or analytics. Out of the 18 apps tested, 17 contained at least one tracker, and the average app included nearly five. Some apps contained more than a dozen trackers, including platforms from the U.S., China, and Russia. Google’s advertising and analytics tools, like AdMob and Firebase Analytics, were present in nearly every app, and Facebook integration appeared in several, enabling cross-platform tracking. Apps such as Turbo VPN and VPN Proxy Master included Chinese platforms like Umeng and Mobvista, as well as Russian trackers like Yandex Ad. This means users attempting to avoid tracking are often exposed to extensive monitoring by multiple third-party companies.

Permissions requested by these apps revealed another layer of concern. A legitimate VPN needs only a few permissions: network access, the ability to create a VPN tunnel, and the ability to run in the foreground. Yet many apps requested far more, often with no relationship to VPN functionality. FreeVPN, for instance, requested 21 permissions, 12 of which are considered “dangerous” under Android rules. These included camera, microphone, contacts, call logs, precise location, and device storage access. Essentially, the app could record audio or video, read your call history, track your movements, and access your photos and files. This permission set resembles spyware more than a privacy tool. Other apps like VPN Proxy Master, VPN 360, and Secure VPN also requested a high number of dangerous permissions, some including the ability to modify system settings or display overlays, techniques that could enable clickjacking or other malicious behavior.

Network connections were another significant concern. Many apps connected to a large number of hardcoded domains, sometimes over 100 for a single app, far more than necessary for a VPN. Some of these domains were located in countries with strict state surveillance or subject to U.S. OFAC sanctions, such as China and Russia.

“Beyond trackers and permissions, perhaps the most alarming finding is the number of free VPN apps that contain hardcoded connections to servers in countries subject to OFAC sanctions or with documented state surveillance programs.” reads the report published by MysteriumVpn. “Routing VPN traffic through these jurisdictions exposes users to risks that no tracker policy or permission review can address.”

Using servers in these jurisdictions exposes users to additional risks, as local laws may require companies to log user traffic or provide access to government agencies. For example, Turbo VPN connects to Chinese servers on Alibaba’s network and includes multiple Chinese trackers. VPN Proxy Master communicates with both Chinese and Russian infrastructure while also embedding trackers from these countries. VPN 360 connected to 105 unique domains, combining multiple trackers with potentially risky server locations.

Other alarming behaviors include apps using plaintext HTTP connections instead of encrypted HTTPS, exposing data in transit. Some apps also included embedded emails, which could indicate a lack of professionalism or potential avenues for phishing and other attacks.

The research identifies the apps with the most concerning risk profiles. FreeVPN stands out for its extreme permissions, despite having no trackers. VPN Proxy Master combines high permissions, numerous trackers, and connections to risky infrastructure, making it the most comprehensive data collector. Turbo VPN is the “tracker king,” embedding platforms from three national advertising ecosystems. VPN 360 has the largest network footprint, with over 100 hardcoded domains. Secure VPN combines dangerous permissions with extensive tracking, including Facebook’s full suite.

The takeaway for users is clear: most free VPN apps are not primarily privacy tools. They are advertising and data collection platforms disguised as security apps. To protect yourself, review requested permissions carefully, audit apps for trackers using tools like Exodus Privacy, and be skeptical of free apps. Open-source and independently audited VPNs are safer, as are decentralized VPN networks, which reduce the risk of a single entity collecting or monetizing your data. Until app stores enforce privacy standards, users bear the responsibility of verifying the safety of any VPN they install.

In short, “free” often comes at a steep cost. Instead of privacy, many free VPNs deliver extensive surveillance, heavy tracking, and connections to potentially dangerous jurisdictions. Investing in a reputable, secure VPN is worth the cost for the protection and peace of mind it provides. Your digital privacy is valuable, and safeguarding it requires informed choices rather than relying on a zero-cost lure.

“The central finding of this research is straightforward: the overwhelming majority of popular free VPN apps on Android are not primarily privacy tools. They are data collection and advertising platforms that provide VPN functionality as a lure.” concludes the report. “The business model is clear, and the mechanisms for executing it are built into the app before a user ever opens it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VPNs)

When you’re shopping around for a Virtual Private Network (VPN) you’ll find yourself in a sea of promises like “military-grade encryption!” and “total anonymity!” You can’t scroll two inches without someone waving around these fancy terms.

But not all VPNs can be trusted. Some VPNs genuinely protect your privacy, and some only sound like they do.

With VPN usage rising around the world for streaming, travel, remote work, and basic digital safety, understanding what makes a VPN truly private matters more than ever.

After years of trying VPNs for myself, privacy-minded family members, and a few mission-critical projects, here’s what I wish everyone knew.

Why do you even need a VPN?

If you’re wondering whether a VPN is worth it, you’re not alone. As your privacy-conscious consumer advocate, let me break down three time-saving and cost-saving benefits of using a privacy-first VPN.

Keep your browsing private

Ever feel like someone’s always looking over your shoulder online? Without a VPN, your internet service provider, and sometimes websites or governments, can keep tabs on what you do. A VPN encrypts your traffic and swaps out your real IP address for one of its own, letting you browse, shop, and read without a digital paper trail following you around.

I’ve run into this myself while traveling. There were times when I needed a VPN just to access US or European web apps that were blocked in certain Asian countries. In other cases, I preferred to appear “based” in the US so that English-language apps would load naturally, instead of defaulting to the local language, currency, or content of the country I was visiting.

Watch what you want, but pay less

Some of your favorite shows and websites are locked away simply because of where you live. In many cases, subscription or pay-per-view prices are higher in more prosperous regions. With a VPN, you can connect to servers in other countries and unlock content that isn’t available at home.

For example, when All Elite Wrestling (AEW) announced its major 2022 pay-per-view featuring CM Punk vs. Jon Moxley, US fans paid $49.99 through Bleacher Report. Fans in the UK, meanwhile, watched the exact same event on FiteTV for $23 less, around half the price. Because platforms determine pricing based on your IP address, a VPN server in another region can show you the pricing available in that country. Savings like that can make a VPN pay for itself quickly.

Stay safe on coffee-shop Wi-Fi

Before you join a network named “Starbucks Guest WiFi,” remember that nothing stops a cybercriminal from broadcasting a hotspot with the same name. Public Wi-Fi is convenient, but it’s also one of the easiest places for someone to snoop on your traffic.

Connecting to your VPN immediately encrypts everything you send or receive. That means you can check email, pay bills, or browse privately without worrying about someone nearby intercepting your information. Getting compromised will cost far more in money, time, and stress than most privacy-first VPN subscriptions.

But what actually makes a VPN privacy-first?

For a VPN, “privacy-first” can’t be just a nice slogan. It’s a mindset that shapes every technical, business, and legal decision.

A privacy-first VPN:

• Collects as little data as possible — only the minimum needed to run the service.
• Enforces a real no-logs policy through design, not marketing.
• Builds privacy into everything, from software to server operations.
• Practices transparency, often through open-source components and independent audits.

If a VPN can’t explain how it handles these areas, that’s a red flag.

What is WireGuard and why is it such a big deal?

WireGuard isn’t a VPN service. It’s the protocol that powers many modern VPNs, including Malwarebytes Privacy VPN. It’s the engine that handles encryption and securely routes your traffic.

WireGuard is the superstar in the VPN world. Unlike clunkier, older protocols (like OpenVPN or IPSec) it’s deliberately lean and built for the modern internet. Its small codebase is easier to audit and leaves fewer places for bugs to hide. It’s fully open-source, so researchers can dig into exactly how it works.

Its cryptography is fast, efficient, and modern with strong encryption, solid key exchange, and lightweight hashing that reduces overhead. In practice, that means better privacy and better performance without a provider having to gather connection data just to keep speeds usable.

Of course, WireGuard is just the foundation. Each VPN implements it differently. The better ones add privacy-friendly tweaks like rotating IP addresses or avoiding static identifiers so that even they can’t link sessions back to individual users.

How to compare VPNs

With VPN usage rising, especially where new age-verification rules have sparked debate about whether VPNs might face future scrutiny, it’s more important than ever to choose providers with strong, transparent privacy practices.

When you boil it down, a handful of questions reveal almost everything about how a VPN treats your privacy:

• Who controls the infrastructure?
• Are the servers RAM-only?
• Which protocol is used, and how is it implemented?
• What laws apply to the company?
• Have experts audited the service?
• Do transparency reports or warrant canaries exist and stay updated?
• Can you sign up and pay without giving away your entire identity?

If a VPN provider gets evasive about any of this, or runs its service “for free” while collecting data to make the numbers work, that tells you almost everything you need to know.

Why infrastructure ownership matters

One of the most revealing questions you can ask is deceptively simple: Who actually owns the servers?

Most VPNs rent hardware from large data centers or cloud platforms. When they do, your traffic travels through machines managed not only by the VPN’s engineers, but also by whoever runs those facilities. That introduces an access question: Who else has their hands on the hardware?

When a VPN owns and operates its equipment, including racks and networking gear, it reduces the number of unknowns dramatically. The fewer third parties in the chain, the easier it is to stand behind privacy guarantees.

RAM-only (diskless) servers: the gold standard

RAM-only servers take this a step further. Because everything runs in memory, nothing is ever written to a hard drive. Pull the plug and the entire working state disappears instantly, like wiping a whiteboard clean. That means no logs sitting quietly on a disk, nothing for an intruder or authorities to seize, and nothing left behind if ownership, personnel, or legal circumstances change.

This setup also tends to go hand-in-hand with owning the hardware. Most public cloud environments simply don’t allow true diskless deployments with full control over the underlying machine.

Other privacy features to watch for

Even with strong infrastructure and protocols, the details still matter. A solid kill switch keeps your traffic from leaking if the connection drops. Private DNS prevents queries from being routed through third parties. Multi-hop routes make correlation attacks harder. And torrent users may want carefully implemented port forwarding that doesn’t introduce side channels.

These aren’t flashy features, but they show whether a provider has considered the full privacy landscape, not just the obvious parts.

Audits and transparency reports

A provider that truly stands behind its privacy claims will welcome outside inspection. Independent audits, published findings, and ongoing transparency reports help confirm whether logging is disabled in practice, not just in principle. Some companies also maintain warrant canaries (more on this below). None of these are perfect, but together they paint a clear picture of how seriously the VPN treats user trust.

A warrant canary in the VPN coalmine

Okay, so here’s something interesting: some companies use something called a “warrant canary” to quietly let us know if they’ve received a top-secret government request for data. Here’s the deal…it’s illegal for them to simply tell us, “Hey, the government’s snooping around.” So, instead, they publish a simple statement that says something like, “As of January 2026, we haven’t received any secret orders for your data.”

The clever part is that they update this statement on a regular basis. If it suddenly disappears or just stops getting updated, it could mean the company got hit with one of these hush-hush requests and legally can’t talk about it. It’s like the digital version of a warning signal. It is nothing flashy, but if you’re paying attention, you’ll spot when something changes.

It’s not a perfect system (and who knows what the courts will think of it in the future), but a warrant canary is one-way companies try to be on our side, finding ways to keep us in the loop even when they’re told to stay silent. So, give an extra ounce of trust to companies that publish these regularly.

Where privacy-first VPNs are heading

Expect to see continued evolution: new cryptography built for a post-quantum world, more transparency from providers, decentralized and community-run VPN options, and tighter integration with secure messaging, encrypted DNS, and whatever comes next.

It’s also worth keeping an eye on how governments respond to rising VPN use. In the UK, for example, new age-verification rules triggered a huge spike in VPN sign-ups and a public debate about whether VPN usage should be monitored more closely. There’s no proposal to restrict or ban VPNs, but the conversation is active.

If you care about your privacy online, don’t settle for slick marketing. Look for the real foundations like modern protocols, owned and well-managed infrastructure, RAM-only servers, regular audits, and a culture that treats transparency as a habit, not a stunt.

Privacy is engineered, not simply promised. With the right VPN, you stay in control of your digital life instead of hoping someone else remembers to keep your secrets safe.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.