- Many free VPNs act like spyware and collect sensitive user information.
- Several apps misuse permissions, turning privacy tools into tracking systems
- VPN developers often justify excessive access with misleading security explanations
The growing popularity of free VPN apps has provided mobile users with an easy path to privacy; However, new evidence also suggests that many of these apps may be doing the opposite of what they promise.
Research from Zimperium zLabs has stated that a large portion of free VPNs for Android and iOS request excessive permissions, use outdated code, and can expose users to surveillance-level risks.
Despite the magnitude of the findings, the report did not reveal which apps were involved, leaving users to rely on their own caution when choosing what they believe is the best free VPN service.
A VPN app is supposed to encrypt and protect network traffic, but many of those tested exhibit behavior that contradicts this purpose.
Some request Android’s “READ_LOGS” permission, which allows them to view system-wide activity, potentially giving them access to usernames, passwords, and personal messages.
This ability effectively turns them into spyware, capable of keylogging and avoiding detection of mobile threats.
Others seek iOS permissions like “LOCATION_ALWAYS,” which grants 24-hour GPS tracking that allows continuous surveillance of a user’s movements.
These permissions, which have no legitimate use in a VPN, can be combined with traffic data to create detailed profiles of a person’s online and offline habits.
Zimperium’s analysis found many cases where free VPN apps requested “private rights,” which allow deep access to a device’s operating system.
Such privileges can allow an app to execute code, extract sensitive data, or gain control over the device, creating serious privacy and security risks.
Some applications also use outdated OpenSSL libraries that are still vulnerable to the 2014 Heartbleed bug, showing that many developers are neglecting even basic patching standards.
Others do not validate certificates correctly, exposing users to man-in-the-middle attacks that allow the interception of supposedly secure traffic.
The researchers also found VPN apps requesting permissions like “USE_LOCAL_NETWORK.”
This allows them to map nearby devices to a Wi-Fi network, a feature better suited for malware than security software.
Developers sometimes justify such access by claiming that it improves “connection troubleshooting,” but in practice it allows device scanning and network reconnaissance.
Various applications can even take screenshots, exposing user data that is visible on the screen.
Since hundreds of VPNs have been found to pose such risks, the difference between secure and insecure tools becomes critical.
Unfortunately, Zimperium declined to share the list of these VPNs, so users should approach free VPNs with skepticism.
Additionally, they should favor providers that undergo independent audits, clearly disclose their privacy policies, and avoid intrusive permissions.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
