Android VPN apps fail privacy tests

In a coup d’ironie par excellence, it turns out that VPN apps available on the Google Play store may be putting Android smartphone and tablet users at an increased risk of data leakage instead of actually protecting them.

These are the findings of a recent report analysing 1.5 million apps on Google’s official mobile app store.

Researchers at CSIRO and the universities of Berkeley and New South Wales found that among the 283 Android apps it identified as using the native Android VPN permissions:

  • 18% didn’t actually encrypt traffic
  • 84% leaked user data
  • 38% had links to malware and malvertising
  • 80% requested permission to sensitive device data including text messages and user accounts

Tales of malware-infected apps running riot over unofficial Android app stores are nothing new. However, potentially flawed privacy and security apps appearing in the official store will be a concern for Google as well as Android users who presumed their browsing was safe.

Virtual private network apps have become increasingly popular for consumers and corporate device users alike as awareness of Man-in-the-Middle attacks on public Wi-Fi networks in hotels, airports and coffee shops has risen. But also popular is their ability to work around geographical restrictions to access regionalised online content, arguably forming a larger slice of the pie here.

Dodgy Apps

“I would love to see Google vet its app store more thoroughly”, security blogger Graham Cluley told Inspect-a-Gadget. “Most of the Android malware that is seen appears in third-party stores, but there have been too many occasions where dodgy apps have made it into Google Play. Although Google has got better in recent years, it’s lagging behind Apple in that regard.”

A reminder that all that glisters in an app store isn’t gold?

“It would be a big mistake to think that just because you’ve installed a VPN app on your Android that it’s doing the job it claims to”, continues Cluley. “My advice would be to stop making price your primary consideration and start looking for a product which has a decent reputation from a trusted provider instead”.

While the CSIRO report doesn’t disclose its raw data or a list of the VPN apps it tested, it does highlight those it found particularly offensive (which you can see the source report here). The researchers do also note that some of the apps have subsequently been removed from the app store, either as a result of their contacting the apps’ developers or via Google’s own in-store vetting.

However, Cluley warns that custodians of other platforms shouldn’t be complacent either: “Any user of VPNs would be wise to be cautious about which one they choose. It’s not just an Android issue; it’s the same story for iOS, Mac, PC etc.”

“Poor quality copycats”

Inspect-a-Gadget did reach out to the developers of some VPN apps implicated in the report; CyberGhost was the first to respond:

CyberGhost’s image suffers because of some poor-quality copycats. There are apps out there that copy our brand, logo, company name and even UI look and feel. This is true, especially on the Google Play Store”, replied a spokesperson. “We’ve reached out to Google in an effort to solve these problems, and we will continue to do so in the future, even if so far we have to say that our efforts weren’t always successful.”

More bad news for those putting their faith in Google Play’s app vetting process.

“Regarding VirusTotal, it is important to understand that after we release a new version of our app, it is indeed possible that in the first couple of days some antivirus products report CyberGhost as potentially malicious”, continued the CyberGhostie. “If anyone were to perform a VirusTotal check today, they would see that CyberGhost is 100% clean.”

A robust defence of its product, but the overall takeaway remains clear: relying on consumer app-store reviews and feature lists alone is a dangerous game when it comes to safeguarding your data.