An analysis of hundreds of Android virtual private network (VPN) apps has found that 18 per cent do not encrypt users' traffic and 38 per cent inject malware.
The analysis of 283 Android apps that use the Android VPN permission, by researchers from CSIRO, the University of New South Wales and the University of Berkeley, also found that 82 per cent of the apps requested to access sensitive data such as user accounts and text messages.
"Our results show that – in spite of the promises for privacy, security and anonymity given by the majority of VPN apps – millions of users may be unwarily subject to poor security guarantees and abusive practices inflicted by VPN apps," the paper, published in November, states.
Even though 67 per cent of the identified VPN apps offered services to enhance online privacy and security, 75 per cent of them were found to use third-party tracking libraries.
“Many apps may legitimately use the VPN permission to offer some form of online anonymity or to enable access to censored content. However, malicious app developers may abuse it to harvest users’ personal information,” the researchers said. "According to the number of installs of these apps, millions of users appear to trust VPN apps despite their potential maliciousness.”
Unsurprisingly, the hosting infrastructure of VPN apps is concentrated in the US. However, the researchers suggested that up to 16 per cent of the apps they analysed forwarded traffic through other users in a peer-forwarding fashion rather than using machines in the cloud.
"This forwarding model raises a number of trust, security, and privacy concerns for participating users," researchers said.
Despite the worrying findings, an analysis of user reviews in the Google Play store found that a quarter of the apps received a four star or higher rating, despite the inherent potential for malicious activity. Only a marginal number of users publicly raised any security or privacy concerns in their reviews.
Android’s official documentation highlights the serious security concerns that the VPN permission raises: as it allows an app to intercept and take full control over a user’s traffic.
Users, however, either don’t care or are unaware of the implications: less than 1 per cent had any security or privacy concerns about the apps.
“A large fraction of mobile users may however lack the necessary technical background to fully understand the potential implications,” researchers suggested. “Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains ‘terra incognita’ even for tech-savvy users.”
Sign up for CIO Asia eNewsletters.