Cyber Security News

Free Android VPNs Suffering Encryption Failures, New Report

VPN apps for Android increase privacy and security over the internet since connection data is encrypted, consequently making it impossible for hackers or other parties to access communication data. 

They also help unblock region-restricted content through IP address hiding, support anonymity on the Internet, and protect secure information more so when using insecure Wi-Fi.

Cybersecurity researcher Simon Migliano at Top10VPN recently discovered that free Android VPNs are suffering encryption failures.

Free VPNs Encryption Failures

Encouraged by the growing trends of government-imposed internet restrictions worldwide and subsequent appeal for virtual private networks (VPNs), this study examines the privacy and security issues about free VPN applications.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Since 2018, the total installations of the 100 most popular free Android VPNs have skyrocketed from 260 million to over 2.5 billion.

This in-depth research evaluated the privacy and security risks associated with the top 100 free Android VPN apps, which have garnered over 2.5 billion total installations due to increasing global demand.

By testing each app on separate devices, using various tools within an isolated environment, the study identified shocking flaws in encryption, data leakage, and privacy-infringing functions in the codes of these apps.

Most importantly, it was discovered that most of them openly shared personal user information directly with firms such as “Yandex” and “Bytedance,” consequently showing a contradiction between serving people without charging them and safeguarding a VPN’s real confidentiality goal.

For those who cannot afford to pay for VPNs, it is possible to find good, free ones by doing extensive research. However, affordable paid options are more reliable.

The tests revealed worrying encryption flaws and data leakage among all 100 free VPN applications.

11 experienced full-scale breakdowns in the encryption process, slightly over a third deployed an inadequate form of encryption, and few used the best hashing algorithms or TLS 1.3.

This resulted from 88 leaking information, including 83 that disclosed DNS requests and 79 that did not tunnel all traffic. Over half of these applications suffered from connection instability.

A comprehensive study on user privacy and security vulnerabilities, conducted through Wireshark traffic analysis within a unique test environment, unraveled such extensive vulnerabilities.

Here below, we have mentioned the names of those 11 VPNs:-

  • HTTP Injector
  • Phone Guardian VPN
  • VPN Private
  • iTop VPN
  • PotatoVPN
  • Swift VPN
  • Tenta Private VPN Browser
  • Maple VPN
  • GoFly VPN
  • AVG Secure Browser
  • VPN Satoshi

11 apps were found to have no encryption at all, consequently exposing the browsing activities.

Many of these data leaks were widely spread, 83 of them leaked DNS requests and only 79 could tunnel all traffic.

In addition, many of the investigated apps (96) contained code with potential privacy impacts but some had first-party location tracking together with permissions.

More worrying were those with 12 apps, including third-party precise location tracking code and permissions; some even track in the background.

The main contributors to major privacy concerns included SDKs such as ByteDance, Yandex, and Facebook embedded in popular apps.

In total, during this test period, 71 applications shared personal information while their VPN was still running.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Google Chrome Warns of Malicious Files While Downloading

Google Chrome has introduced a revamped download experience with comprehensive warnings about potentially malicious files. This update is part of…

57 mins ago

Microsoft’s Windows Hello for Business Flaw Let Attackers Bypass Authentication

Researchers have uncovered a vulnerability in Microsoft's Windows Hello for Business (WHfB) that allows attackers to bypass its robust authentication…

3 hours ago

LummaC2 Malware Using Steam Gaming Platform as C2 Server

Cybersecurity experts have uncovered a sophisticated variant of the LummaC2 malware that leverages the popular Steam gaming platform as a…

4 hours ago

Ukraine Hackers Hit Major Russian banks with DDoS attacks

Several prominent Russian bank clients experienced issues with their mobile apps and websites. According to Downdetector, complaints began to surge…

8 hours ago

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses. Clicking a PDF attachment's link triggers…

24 hours ago

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive data breach. According to a recent…

1 day ago