Downloading an application means that you are allowing the software open access to your mobile phone and all the data that is stored on it. Many a time, these applications are used for spying purposes by an individual or state-sponsored group of hackers. The criticism received by ZTE and Huawei for collecting and sending data to China shows how these apps can invade your privacy without you being notified about it.
As you know, Virtual Private Network app or VPNs are considered a reliable way to ensure data safety while using applications. VPNs encrypt the data that is being shared by you online and hence, provide full security for the information. However, contrary to popular belief, not all the VPNs are as reliable and secure. Research conducted by Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the University of South Wales and UC Berkley found that nearly 38% of Android VPN apps are infected with malware; making blind trust of these apps a not so prudent move.
The research teams studied around 234 VPN apps that were uploaded on Google Play Store and a startling one-third were identified to be tracking users via malware. There were apps which carried out malvertising campaigns while 18% of them didn’t encrypt internet data as promised. 8 out of 10 apps requested permission to access sensitive data such as text messages and user account credentials. This proves that the primary function such VPN apps are required to perform, which is to ensure the protection of user data, is not being performed by the available apps at all. The fact cannot be overlooked that these VPN apps are used by hundreds and thousands of users across the globe.
To carry out the research, the team downloaded tools to reverse-engineer APK (Android Application Package) package that is used in the apps. Then they checked the Android Manifest file, which provides information like requested access permissions about the app and the source code. Later, they ranked the apps based on their findings. The ratings were given as per the anti-virus ranking.
The top ten worst VPNs as finalized by the research team include these apps: 1. OkVpn, 2. EasyVpn, 3. SuperVPN, 4. Betternet, 5. CrossVpn, 6. Archie VPN, 7. HatVPN, 8. sFly Network Booster., 9. One Click VPN and 10.Fast Secure Payment.
43% of these apps were infected with adware, 17% encouraged malvertising, 6% had riskware and 5% were plagued with spyware. Three out of the ten apps namely OkVpn, EasyVPN and sFly Network Booster, weren’t listed in Google Play Store and were deleted in August 2016 from the platform.
“Android app developers benefit from native support to implement VPN clients via the VPN permission to provide censorship circumvention, support enterprise customers and enhanced online security and privacy. However, despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains “terra incognita” even for tech-savvy users,” according to the research team [Pdf].
“In spite of the promise of privacy, security and anonymity given by the majority of VPN apps – millions of users may be unawarely [sic] subject to poor security guarantees and abusive practices inflicted by VPN apps,” concluded the team.
CISRO’s professor and senior principal researcher Dali Kaafar stated that Android owners need to compare functionality and check out app reviews while downloading VPNs. Kaafar advises that users must pay attention to the permissions demanded by the downloaded apps and they must learn about the seriousness of issues that are associated with infected VPN apps.