The applications of Free VPN, which promise anonymity and security, are under scrutiny for exposing their users' sensitive data. A new independent analysis warns that Millions of people could be unknowingly giving away their information every time they activate one of these tools.
The research covers both iOS and Android and concludes that Not all free VPNs deliver what they promiseSome lack valid privacy policies, ask for excessive permissions, and use vulnerable components, opening the door to leaks and unauthorized access.
What the Zimperium analysis reveals
The Insecure Mobile VPNs: The Hidden Danger white paper examined 800 mobile VPN apps —400 for iOS and 400 for Android— and found a worrying pattern in many of them.
According to the data, the 25% of free VPNs for iOS lack a valid privacy policy, a breach that leaves users unclear about how their data is being handled.
On Android, the problem is no less serious: 18% of the apps analyzed do not offer an accessible privacy policy, making it difficult to exercise informed consent and understand with whom data is being shared.
The study also detects that 6% request privileged permits that should not be accessible to a VPN, enabling deep access to the system that increases the risk of abuse.
Intrusive permissions and vulnerable libraries
Among the problematic permissions in Android are: AUTHENTICATE_ACCOUNTS and READ_LOGS, which allow you to manage accounts and read system logs, respectively, with spying potential that is difficult to justify with a VPN.
On iOS, researchers describe requests for continuous access to geolocation and the local network, a combination that can profile movements and scan nearby devices without a solid functional reason.
In addition, several applications integrate Outdated versions of OpenSSL vulnerable to Heartbleed (CVE-2014-0160), a flaw that enables memory access and the exfiltration of keys and passwords.
Even clients with incorrect certificate validation: About 1% were susceptible to man-in-the-middle (MitM) attacks, putting all supposedly encrypted traffic at risk.
A risk that also affects companies
In environments with BYOD policies, An insecure VPN client can become the weak link that leaks corporate data or opens the door to intrusions into internal networks.
The lack of transparency —including missing or inconsistent privacy statements with actual operation— prevents companies adequately assess the risk and implement effective controls.
Scam Apps: IPTV+VPN Installs a Banking Trojan
The firm Cleafy warned about Mobdro Pro IP TV + VPN, an app that presented itself as a streaming and VPN solution, but acted as an installer of the banking Trojan Klopatra.
Once the permissions were granted, the attackers were able to full device control, capable of reading messages, stealing credentials and ordering fraudulent transfers.
The campaign, with nearly 3.000 confirmed infections —mainly in Spain and Italy—, relied on social engineering techniques and the abuse of Android Accessibility Services.
Distribution outside of Google Play (sideloading) and the use of two active botnets facilitated the spread, illustrating the added risk of installing apps from unverified sources.
Popular services under scrutiny for transparency and encryption
The VPN Transparency Report prepared by the Open Technology Fund examined 32 commercial suppliers and documented weaknesses in several heavily downloaded services.
Researchers warn of protocols presented as “strong encryption” that actually use technologies such as Shadow Socks, not designed to guarantee end-to-end confidentiality.
With some clients exceeding the 100 million downloads, the combination of popularity and opacity in internal workings increases the risk surface for less experienced users.
This finding reinforces the need for any provider handling sensitive traffic.
Why free VPNs are still used and how to reduce the risk
A survey cited by NordVPN reveals that 12% of VPN users in the UK still rely on free services, despite the fact that the general level of knowledge already reaches 80%.
The reasons include: perception of savings, ratings in stores focused on speed and the false equivalence of “the basics” between free and paid options.
Kaspersky recalls that, historically, have served as bait to monetize data or fuel botnets, something that fits with recent technical findings.
To minimize risks, experts recommend avoid sideloading, review permits and choose suppliers with external audits, no-logs policy and updated encryptionIn Spain, INCIBE suggests checking the jurisdiction of the company, the technology used and its commitment to data protection before installing anything.
The picture drawn by these investigations is clear: Free VPNs, far from protecting your browsing, can compromise it.Choosing tools with guarantees, reading the fine print, and being wary of "unlimited and free" offers are key steps to avoid making privacy a bargaining chip.
