Free VPN Apps at Risk: 2.4 Billion User Data Records Leaked

Free VPN Apps at Risk: 2.4 Billion User Data Records Leaked

An international group of researchers has identified serious security issues in free VPN apps designed for the Android operating system. Analysis shows that many services promising privacy can actually expose user data, transmit it to advertising companies, and even allow internet traffic to be hijacked. Most alarmingly, the apps with identified vulnerabilities have been downloaded over 2.4 billion times to date. This is reported by Ixbt.com reports .

The study, conducted by experts from the University of Michigan, the University of New Mexico, and the Indian Institute of Technology Delhi, analyzed 281 applications. Using their custom-developed MVPNalyzer tool, the scientists tested devices running Android 14. The results were presented at the prestigious NDSS cybersecurity conference.

Risk of traffic redirection

During the study, it was revealed that five major VPN apps download configuration files in unencrypted form. These files define connection parameters and the server through which user traffic passes. This situation is particularly dangerous on public Wi-Fi networks in public spaces. Hackers can spoof the connection and redirect all traffic to their own servers, while the user continues to believe the VPN is working as usual.

Data leakage is not limited to traffic alone. It was found that 29 out of the 281 tested apps could not fully protect traffic. Furthermore, the researchers noted the following alarming findings:

  • 76 apps contained a mechanism for transmitting the device's advertising ID;
  • 246 apps connected to advertising and analytics platforms, sending data such as smartphone model, screen size, and Android version;
  • In some cases, apps also transmitted the user's precise GPS coordinates to third parties.

Outdated technologies and weak protection

Experts also paid special attention to the settings of OpenVPN, one of the most popular VPN protocols. Only one out of 108 apps using this protocol met all security requirements. Nearly 89 percent of the programs used only a single authentication method instead of a combination of a trusted certificate and password, which drastically reduces the level of protection.

Additionally, one in five apps uses Blowfish and Triple DES encryption algorithms, which are considered outdated and weak today. According to ixbt.com, the problem is exacerbated by the fact that many free services are not updated in a timely manner. Even the Verified badge in the Google Play store cannot guarantee the absolute security of an app, as automated checks cannot always detect such complex vulnerabilities.

Experts advise users to be cautious of free VPN services that offer aggressive advertising. This is a relevant topic for users in Uzbekistan as well, as many use such free apps to access social networks. The most reliable way is to choose paid or reputable services that have undergone independent security audits and have proven their data protection in practice.

Add Zamin.uz to GoogleRead "Zamin" on Telegram!
Discuss with Zamin AIAnalyze the news, get useful answers

Comments 0

Related news