These Android Apps Are Tracking Users, Infecting Phones

If you're using a VPN app on your Android device, there's a surprisingly strong chance that your data is at risk, and that your phone or tablet might even become infected with malware.

Credit: Denys Prykhodov/Shutterstock

(Image credit: Denys Prykhodov/Shutterstock)

In a study published recently by researchers from Australia's Commonwealth Scientific and Industrial Research Organization (CSIRO), the University of New South Wales (which issued a non-technical press release) and the University of California, Berkeley, 283 Android VPN apps were analyzed for security and privacy. The researchers found that the apps often fell far short of their promises of enhanced security, and in many cases, injected malware or adware into user devices.

"Millions of users appear to trust VPN apps despite their potential maliciousness," the study noted. Yet "VPN apps like HideMyAss and VPNSecure which claim to provide security and anonymity are not effective against surveillance and malicious agents."

MORE: How a Virtual Private Network Can Boost Your Security

One of the worst offenders was AnchorFree's Hotspot Shield, which has been installed on more than 10 million Android devices. The study found that Hotspot Shield actively injected JavaScript into web pages, and redirected e-commerce traffic to AnchorFree's partners. On the other extreme, F-Secure's Freedome service was found to block ads and third-party trackers, adding another degree of privacy.

Hotspot Shield didn't inject malware into user devices, but plenty of other apps apparently did, including CrossVPN, EasyVPN and SuperVPN.

Seventy-five percent of all the Android VPN apps the researchers tested used third-party tracking software to follow users' movements around the internet, and 82 percent requested access to private data, such as user accounts and text messages. Even worse, 38 percent of the apps contained code pertaining to some form of malware or adware. And 18 percent of the VPN apps couldn't even do their most basic jobs — they didn't use encryption for their tunneling protocols.

"Our results show that — in spite of the promises for privacy, security and anonymity given by the majority of VPN apps — millions of users may be unawarely (sic) subject to poor security guarantees and abusive practices inflicted by VPN apps," the researchers wrote in the report.

The dodgy VPN apps were a mix of free and paid apps. EasyVPN and OKVPN, the two apps with the highest malware count, were paid. Since the study was conducted, both have been removed from Google Play.

VPN services promise to deliver all kinds of important security and privacy features to users. They can protect a user's data and communications while using an unsecured Wi-Fi network, for example. They can protect your identity when you're surfing around the web. They can also be used to circumvent censorship or get access to copyrighted content that might not otherwise be available in certain countries.

Still, the researchers' study suggests that not all VPNs are created equal. Although they make the promise of better security, they might not always deliver that. What's worse, the apps are readily available in the Google Play marketplace, suggesting people around the globe are able to easily access them and unwittingly get more than they bargained for when they downloaded the programs.

"The average mobile user rates VPN apps positively even when they have malware presence," the study noted. "Only a handful of users has raised any type of security and privacy concern in their [Google Play app store] reviews."

"The vast majority of users remain unaware of such practices" — tracking and adware — "even when considering relatively popular apps."

In other words, be very careful in the VPN apps you choose.