Researchers discover major security flaws in popular Android VPN apps
A new academic study revealed massive data leaks and poor security configurations across top Android VPN apps
Security researchers from the University of Michigan and the University of New Mexico discovered that 61 popular Android VPN apps transmitted user data without encryption across more than 10,000 observed traffic flows. The investigative team built a specialised auditing framework called MVPNalyzer to evaluate free applications pulled from the Google Play Store search results and its specific VPN Proxy and Tools category. The compromised applications identified during the academic investigation accumulated a combined total of more than 2.4 billion installs globally.
The NDSS 2026 Symposium reported the tool launch in February, highlighting how the framework analyses network traffic, configuration files, and multi-level device data that usually bypasses manual analysis. The investigation revealed that 29 evaluated applications leaked all network traffic without any encryption through their intended secure tunnels, entirely violating their primary purpose. Furthermore, 24 of these applications leaked user browsing habits via domain name system requests, while six applications exposed browser traffic.
Five specific applications transferred their internal configuration files over entirely unencrypted connections. The scientists successfully demonstrated that such transmission vulnerabilities allow attackers to intercept the file and redirect the user to a malicious server. Beyond direct traffic leaks, 246 applications communicated openly with advertising and tracking servers, while 76 applications transmitted unique Android advertising identifiers that permit continuous tracking across separate applications.
Many applications collected additional user data, including device models, operating system versions, screen specifications, and internet protocol addresses. Third parties use these combined details to establish distinct device fingerprints for tracking purposes. The underlying configuration quality proved equally deficient, as only one out of 108 applications utilising OpenVPN configurations satisfied all the best security practices outlined by the researchers. The authors asserted that these findings indicate a clear necessity for stricter regulation of software in the Play Store alongside continuous independent audits of commercial operations.