VPN: How an app meant to protect your privacy could be exposing you instead

VPNs cost money to operate. When users get the service free, their activity and data may become the product, while weak implementation can expose both individuals and enterprises to security risks

VPN (Image: Pixabay)
VPN (Image: Pixabay)
Aashish Kumar Shrivastava New Delhi
9 min read Last Updated : Jul 14 2026 | 4:14 PM IST
A paper by researchers from the University of Michigan, the University of New Mexico and the Indian Institute of Technology (IIT) Delhi found that many of the most popular free Virtual Private Network (VPN) apps on the Google Play Store fail at the basic tasks users expect from them: keeping internet traffic private and secure.
 
The apps found to have problems have collectively been installed more than 2.4 billion times.
 
Researchers tested 281 of the most popular VPN apps available on the Google Play Store and found security flaws. Twenty-nine apps allowed user traffic to leak outside the encrypted tunnel, including Domain Name System (DNS) lookups that can reveal which websites users visit. Sixty-one apps transmitted some data in plain text, allowing anyone monitoring network traffic to read it.
 
For the uninitiated, a VPN acts as a privacy shield for an internet connection. It encrypts online traffic before it leaves a device, making it harder for others to intercept or monitor it. Not all VPN apps, however, offer the same level of protection.

What is VPN tunnel hijacking

One of the most serious findings involved five apps — BambooVPN, VPN Pro, Free VPN, Hexa VPN and 101 VPN — that downloaded their configuration files without encryption.
 
The configuration file tells the app which server to connect to. If it travels in plain text, an attacker on the same network, such as a public Wi-Fi operator, can alter it in transit and redirect the app to a server under the attacker's control.
 
The user may still see the usual "connected" status while all internet traffic is routed through the malicious server.
 
Shriya Mehrotra, director analyst at Gartner, told Business Standard that tunnel hijacking can force a VPN to route traffic outside the protected tunnel or connect to the wrong endpoint.
 
Ordinary users usually cannot detect such an attack reliably in real time and have little visibility into where it is taking place, which networks are involved or what attackers may gain if it succeeds, she said.
 
The threat is particularly serious on public Wi-Fi because anyone on the same network may be able to intercept an unencrypted configuration file. Coffee shops, airports and hotels are among the places where people are most likely to use VPNs and where tunnel hijacking may be most effective.
 
Mehrotra said the lack of visibility is precisely what makes such attacks concerning. Users may believe their traffic is protected while sensitive information is being routed in ways they neither intended nor can easily observe.

The VPN trust trade-off users often overlook

A VPN wraps internet traffic in an encrypted tunnel so that an internet service provider or an eavesdropper cannot easily see what a user is doing.
 
The trade-off is that the VPN provider can potentially see that traffic instead.
 
A VPN, therefore, does not eliminate the need to trust someone. It shifts that trust from the internet provider to the company that built and operates the app.
 
That makes the choice of VPN provider critical.
 
According to Mehrotra, users should look beyond features and pricing and assess a provider's ownership, jurisdiction and commitment to transparency.
 
They should understand who owns the service, where the company is legally based, whether it publishes transparency reports and how it responds to legal or government requests for user information.
 
A VPN is fundamentally a trust-based service, she said, making the identity and practices of the company protecting the data as important as the underlying technology.
 
This is the gap many users do not understand. They install VPNs expecting free privacy, but are often merely choosing a different party to trust.

The economics behind free VPN apps

VPNs cost money to operate.
 
Providers must pay for servers, bandwidth, encryption infrastructure and maintenance. If users are not paying for the service, the company must generate revenue elsewhere.
 
That may involve tracking activity, selling data to advertisers or including users in an advertising network.
 
The study found that 76 apps transmitted advertising identifiers, while more than 80 per cent of the audited apps contacted known advertising and tracking servers.
 
Users may not be receiving free privacy. Their data and activity may instead be helping fund the service.

Why no two VPN apps offer the same protection

One of the biggest misconceptions about VPNs is that they all function in the same way.
 
"No two VPNs offer exactly the same level of protection. VPN services differ in what they secure, how they handle user data and how effectively they protect traffic from leaks and attacks. Ultimately, a VPN's security is shaped by the quality of its implementation and its interaction with the underlying operating system, not simply by the brand name or marketing behind it," Mehrotra said.
 
The study's findings reflect those differences.
 
Twenty-nine apps allowed traffic to leak outside the encrypted tunnel. Sixty-one transmitted data in plain text. Four apps operated tunnels without encryption.
 
Only one of the 108 apps examined in a deeper security audit followed every recommended security practice.
 
The difference between VPNs, therefore, lies not only in features or pricing but also in the quality of their implementation.

Can a badly implemented VPN be more dangerous than no VPN?

This is the critical question many users do not ask.
 
"A badly implemented VPN can be more dangerous than having no VPN at all because it creates a false sense of security. When users believe they are protected, they are often more willing to perform sensitive activities such as online banking, accessing corporate resources or using public Wi-Fi networks. If the VPN is poorly implemented, it may still leak data, enable tracking or expose traffic, leaving users vulnerable at precisely the moments they feel most secure," Mehrotra said.
 
The Zscaler ThreatLabz 2026 VPN Risk Report adds another dimension to the problem.
 
Traditional VPN architectures can create security blind spots by giving users broad network access, offering limited traffic inspection and enabling lateral movement. This can increase organisational risk if modern security controls are not in place.
 
The report argues that a VPN should not automatically be equated with security and that traditional VPNs are increasingly inadequate against AI-driven attacks.

Why insecure consumer VPNs pose an enterprise risk

Insecure consumer VPNs are not only an individual problem. They can also become an enterprise security risk.
 
When remote employees use consumer VPNs to access corporate resources, they may create security blind spots for the wider organisation.
 
The Zscaler report highlights how attackers increasingly exploit VPNs through credential theft, phishing, unpatched vulnerabilities and ransomware campaigns.
 
If a remote employee uses a badly implemented consumer VPN to access a company's internal systems and that connection leaks traffic or is hijacked, the attacker may gain more than the employee's personal information. Corporate systems and internal resources may also be exposed.
 
The academic study found that 29 apps leaked traffic outside the encrypted tunnel, including DNS lookups that reveal which websites users visit.
 
If an employee uses one of these apps to access corporate resources, the organisation's internal websites may become visible to others on the local network.
 
The Zscaler report also identifies VPNs as a potential initial-access route for attackers. AI-powered social engineering can increase the risk of credential theft, while a single compromised credential may provide access to a wider corporate network.
 
When employees use insecure consumer VPNs, they may be weakening the organisation's defences without realising it.

Free VPN security failures point to a systemic problem

The latest findings are not isolated.
 
In August 2025, researchers at the University of Toronto's Citizen Lab and Arizona State University found that several popular Android VPN apps, with more than 700 million combined downloads, were secretly linked, shared hard-coded passwords and collected location information.
 
In October 2025, mobile security company Zimperium reported that three of about 800 free VPN apps it tested still included an OpenSSL library vulnerable to Heartbleed, a widely known flaw that was patched in 2014.
 
Many of the apps also requested phone permissions beyond what a VPN required.
 
The three studies point to a common pattern: free VPN apps often combine strong privacy claims with weak engineering and can reach millions of users before their flaws are identified.
 
The underlying problem is poor maintenance and weak oversight.
 
Many apps rank among the top search results on the Play Store, where Google's safety labels and "Verified" badge for VPN apps are intended to signal trust.
 
Google told The Hacker News that it takes security and privacy allegations against apps seriously and takes appropriate action when an app violates its policies.
 
The company added that its Data safety rules require developers to declare their data practices accurately, with responsibility for those disclosures resting with the developer.

What users and enterprises should understand about VPN risks

Free VPNs can create a false sense of security while exposing users to network attacks, tracking and data leaks.
 
The problem is not limited to a handful of poorly designed apps. The findings point to weaknesses across a wider part of the industry.
 
Users may need to shift their thinking from "trust-free privacy" to a more basic question: Who do they trust with their internet traffic?
 
A badly implemented VPN can be more dangerous than using no VPN because it encourages users to carry out sensitive activities under the assumption that they are protected.
 
Enterprises must also recognise that insecure consumer VPNs used by employees can expose more than personal information. They may place corporate systems, credentials and internal resources at risk.
 
The apps meant to protect users may instead expose them and, when used for work, potentially expose their employers as well.

More From This Section

Topics :Latest Technology NewscybersecurityEnterprise security

First Published: Jul 14 2026 | 4:14 PM IST

Next Story