- Many free VPNs act like spyware, collecting sensitive user information.
- Several apps abuse permissions, turning privacy tools into tracking systems
- VPN developers often justify excessive access with misleading security explanations
The growing popularity of free VPN apps has provided mobile users with an easy path to privacy. However, new evidence also suggests that many of these apps might do the opposite of what they promise.
A study by Zimperium zLabs claimed that a large portion of free VPNs for Android and iOS request excessive permissions, use outdated code, and can expose users to surveillance risks.
Despite the breadth of the findings, the report did not reveal which apps were involved, leaving users to rely on their own caution when choosing what they think is the best free VPN service.
A VPN app is supposed to encrypt and protect network traffic, but many of those analyzed exhibit behaviors that contradict this goal.
Some request Android’s “READ_LOGS” permission, which allows them to view system-wide activity, potentially giving them access to usernames, passwords, and personal messages.
This capability effectively turns them into spyware, capable of recording keystrokes and avoiding detection of mobile threats.
Others seek iOS permissions such as “LOCATION_ALWAYS”, granting 24-hour GPS tracking that allows continuous monitoring of a user’s movements.
These permissions, which have no legitimate use in a VPN, can be combined with traffic data to create detailed profiles of a person’s online and offline habits.
Zimperium’s analysis found numerous cases where free VPN apps requested “private rights,” which allow deep access to a device’s operating system.
Such privileges can allow an app to execute code, extract sensitive data, or take control of the device, creating serious privacy and security risks.
Some applications also use outdated OpenSSL libraries, still vulnerable to the 2014 Heartbleed bug, showing that many developers are neglecting even basic patching standards.
Others fail to properly validate certificates, exposing users to man-in-the-middle attacks that allow interception of supposedly secure traffic.
Researchers also found VPN apps asking for permissions like “USE_LOCAL_NETWORK.”
This allows them to map nearby devices on a Wi-Fi network, a function better suited to malware than security software.
Developers sometimes justify such access by claiming that it improves “connection troubleshooting”, but in practice it enables device scanning and network reconnaissance.
Several apps can even capture screenshots, exposing user data visible on the screen.
With hundreds of VPNs posing such risks, the difference between secure and insecure tools becomes crucial.
Unfortunately, Zimperium refused to share the list of these VPNs. Users should therefore approach free VPNs with skepticism.
Additionally, they should favor providers that undergo independent audits, clearly disclose their privacy policies, and avoid intrusive permissions.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
