Google is on a mission to enhance security for Android users, narrowing the infamous gap to Apple’s more secure, more private iPhone. Play Store is key to this, and is now undergoing huge changes as thousands of apps are deleted and its Play Protect finally addresses threats from apps installed or updated from outside Play Store.
The Play Store app purge focuses on lower-quality, likely higher-risk apps, most of which are free but which open users to malware or fraudulent ads or subs. And now, even when apps have not yet been flagged by Google, Android 15’s new live treat detection can flag risks as soon as they exhibit suspicious behavior on your phone.
Now here comes another reminder as to the risks from seemingly free but realistically heavily priced apps. Kaspersky has just warned that the number of dangerous free VPNs installs is now soaring, “increasing by 2.5 times compared to Q2 globally. These apps were malware or programs that could be potentially used by malicious actors. This surge,” Kaspersky warns, “has continued into Q4.”
Many of these apps will be installed from outside Play Store, but such has been the threat from free VPNs available on Play Store itself, that Google introduced a level of independent security validation specifically for VPNs. This is no guarantee of security, but can help identify ones you should definitely not install. But as TopVPN continues to warn, “we’ve uncovered hidden security flaws, concerning ownership, and shady operators behind many popular free VPN apps.”
“There is a growing demand for VPN apps,” Kaspersky says. “Users tend to believe that if they find a VPN app in an official store, like Google Play, it is safe and can be used to get content that is originally unavailable at their location. And they think it is even better if this VPN service is free! However, this often ends up being a trap, as recent cases and statistics showing a surge in malicious VPN app encounters prove.”
Even some paid VPNs carry risk, unfortunately. It has long been a bitter irony that these security apps are often more risky than the threats they promise to prevent.
Top10VPN has just issued a new report warning that it tested “the 30 most popular paid VPN apps in the Google Play store, which have more than 732 million total installs worldwide,” and while “most were completely safe and private, some had significant security and privacy flaws.” And so avoiding free in itself is not enough, users need to pick carefully from amongst paid options as well.
Top10VPN’s alarming findings included:
- “3 VPNs shared data in a way that put user privacy at risk, either through ad tracking (2 VPNs) or poor practices (1 VPN).
- 16 VPNs suffered some kind of data leak, although none were severe.
- 15 VPNs exposed users’ VPN use due to lack of SNI encryption.
- 7 VPNs leaked DNS requests under very specific conditions.
- 7 VPNs potentially compromised user privacy by not operating their own DNS servers, including 2 VPNs using services other than Google/Cloudflare.
- 7 VPNs failed to use the latest version of TLS to establish the VPN tunnel. One made use of the deprecated SSLv2 protocol, long considered insecure.
- Over a quarter (27%) of VPNs tested did not use the strongest possible encryption, though none were actually insecure.
- 9 VPNs exhibited various signs of tunnel instability, mostly minor.
- 6 VPNs requested high-risk permissions that could not be justified… such as location (4), camera (2), and read phone state (1).
- 4 VPNs declared use of potentially risky device hardware, such as cameras, microphones and GPS, but lacked the software features to justify doing so.
- 7 VPN apps posed a potential privacy risk due to embedded tracking code from advertisers and data brokers, although only 2 actually shared data.”
So, what’s the best way to stay safe? Follow the following three golden VPN rules:
- Only install VPNs from Play Store, only use paid VPNs, and only use VPNs from relatively well-known developers and never from one based in China
- Always ensure Play Protect is enabled on your phone, and never disable or pause Play Protect to install a VPN or other security apps it flags as risky
- When live threat detection flags an app, take action; Pixels upgraded to Android 15 have this now and others will follow.
Check that the VPNs already installed on your phone meet these golden rules, and delete all those that are free or that don’t. It’s just not worth the risk.
