Your Highly Rated VPN App Could Be Hiding Malware to Track Your Data – List of Apps to Avoid


When we use a VPN app, the primary reason is to encrypt information to hide our identity online and keep data secure. However, not all the apps that are marketed to offer you data security are as secure as they claim to be.

An extensive research from Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) and researchers from the University of South Wales and UC Berkley discovered that over 38% of Android VPN apps contain malware and track users.

Fake COVID-19 Tracking App Found to Infect Android Phones With Ransomware

Don't trust ratings either

The research group studied 234 VPN apps on the Google Play Store. Of these analyzed VPN apps, more than a third were discovered to be tracking users through malvertising. If that isn't enough of a fraud, 18 percent of these apps didn't even encrypt internet traffic at all.

While 37% of the analyzed VPN apps have more than 500K installs and 25% of them receive at least a 4-star rating, over 38% of them contain some malware presence according to VirusTotal.

The research further revealed that eight in every ten analyzed Android VPN apps also demanded access to personal data, including user accounts and text messages.

Google Play Store has been in all kinds of bad news lately. An earlier report from Check Point had revealed that last year's HummingBad malware has managed to infiltrate Google Play bypassing all its security checks thanks to the malware's rapid evolution.

Google has taken down all the infected apps, however, it isn't clear whether more such apps will manage to bypass security filters or if Google has employed additional security measures that would ensure HummingWhale (the latest variant of HummingBad) apps don't get past these filters in the future. We couldn't get any comment from Google's security team and Check Point said that since "Google keeps its security measures as a secret," they wouldn't know of any changes.

Using an Android VPN app? Here are the worst VPN apps that you never want to use

While we aren't sure of the status of HummingWhale, we can at least help our readers learn about the Android VPN apps that should be avoided - thanks to the research of CSIRO. Please note that some of these apps have already been taken down by Google.

A Malware Called Cerebrus Can Steal Google Authenticator 2FA Codes From Android Devices

  1. OkVpn (4.2 rating)
  2. EasyVpn
  3. SuperVPN
  4. Betternet (4.3 rating; 5 million downloads)
  5. CrossVpn
  6. Archie VPN
  7. HatVPN
  8. sFly Network Booster
  9. One Click VPN (4.3 rating; 1 million downloads)
  10. Fast Secure Payment

Some of these infected Android VPN apps also routed traffic through other users' devices. "Our network measurements also suggest that 16% of the analyzed apps may forward traffic through other participating users in a peer-forwarding fashion rather than using machines hosted in the cloud," which means that you could be unknowingly facilitating the process of content transmission.

"This forwarding model raises a number of trust, security, and privacy concerns for participating users."

For those interested, complete research can be accessed here [PDF].