300 shades of gray: a look into free mobile VPN apps


The times, they are a changin'. When users once felt free to browse the Internet anonymously, post about their innermost lives on social media, and download apps with frivolity, folks are playing things a little closer to the vest these days. Nowadays, users are paying more attention to privacy and how their personal information is transmitted, processed, stored, and shared. Nearly every day, they are bombarded with news of [data breaches](<https://www.charlotteagenda.com/178386/boy-scouts-affiliate-data-breach-exposed-kids-and-parents-personal-information/>), abuses or [neglect of personal information](<https://americanmilitarynews.com/2019/09/419-million-facebook-users-phone-numbers-found-unprotected-in-online-database/>) by tech giants, and the growing sophistication of [cybercriminal tactics](<https://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/>) and scams. No wonder Internet users are on a hunt for certain tools that will give them added privacy—and not just security—while surfing the web, either at home, in the office, or on the go. While some might go for [Tor](<https://blog.malwarebytes.com/glossary/tor/>) or a [proxy server](<https://blog.malwarebytes.com/glossary/proxy-server/>) to address their need for privacy, many users today embrace virtual private networks, or [VPNs](<https://blog.malwarebytes.com/glossary/vpn/>). Depending on who you ask, a VPN is any and all of these: [1] a tunnel that sits between your computing device and the Internet, [2] helps you stay anonymous online, preventing government surveillance, spying, and excessive data collection of big companies, [3] a tool that encrypts your connection and masks your true IP address with one belonging to your VPN provider, [4] a piece of software or app that lets you access private resources (like company files on your work intranet) or sites that are usually blocked in your country or region. Not all VPNs are created equal, however, and this is true regardless of which platform you use. Out of the increasing number of VPN apps already out there, which is currently in the hundreds, a notable number of them are categorized as unsafe—especially those that are free. In this post, we'll take a closer look at free VPNs for mobile devices—a category many say has the highest number of unsafe apps. But first, the basics. ### How do VPNs work? Rob Mardisalu of TheBestVPN illustrated a quick diagram of how VPNs work—and it's pretty much as simple as it looks. ![](https://blog.malwarebytes.com/wp-content/uploads/2019/08/VPN-thebestvpn-600x469.png)A simple VPN illustration (Courtesy of [TheBestVPN](<https://thebestvpn.com/what-is-vpn-beginners-guide/>)) Normally, using a VPN requires the download and installation of an app or file that we call a VPN client. Installing and running the client creates an encrypted tunnel that connects the user’s computing device to the network. Most VPN providers ask users to register with an email address and password, which would be their account credentials, and offer a method of authentication—either via SMS, email, or QR code scanning—to verify that the user is indeed who they say they are. Once fully registered and set up, the user can now browse the public Internet as normal, but with enhanced security and privacy. Let’s say the user conducts a search on their browser or directly visits their bank’s official website. The VPN client then encrypts the query or data the user enters. From there, the encrypted data goes to the user's [Internet Service Provider (ISP)](<https://blog.malwarebytes.com/glossary/isp/>) and then to the VPN server. The server then connects to the public Internet, pointing the user to the query results or banking website. Regardless of which data is sent, the destination website always sees the origin of the data as the VPN server and its location—and not the user’s own IP address and location. Neat, huh? ### What VPNs don’t do However comforting using VPNs can be, realize that they can't be all things privacy and security for all users. There are certain functions they cannot or will not complete—and this is not limited to the kind of VPN you use. Here are some restrictions to be aware of. VPNs don't: * _Offer full anonymity._ Keeping you anonymous should be inherent in all available VPNs on the market. However, achieving full anonymity online using VPNs is nearly impossible. There will always be traces of data from you that VPNs collect, even those that don’t keep logs—and by logs, we mean browsing history, IP address(es), timestamps, and bandwidth. * _Connect you to the dark web._ A VPN in and of itself won’t connect you to the dark web should you wish to explore it. An [onion browser](<https://www.makeuseof.com/tag/dark-web-browser/>), like the Tor browser, can do this for you. And many are espousing the use of both technologies—with the VPN masking the Tor traffic, so your ISP won’t know that you’re using Tor—when surfing the web. * _Give users full access to their service for free. Forever._ Some truly legitimate VPNs offer their services for free for a limited time. And once the trial phase expires, users must decide on whether they would pay for this VPN or look for something else free. * _Protect you from law enforcement when subpoenaed_. VPNs will not allow themselves to be dragged into court if law enforcement has reason to believe that you are engaging in unlawful activities online. When VPN providers are summoned to provide evidence of their user activities, they have _zero_ compelling reason not to comply. * _Protect you from yourself._ No anti-malware company worth its salt would recommend users visit any website they want, open every email attachment, or click all the links under the sun because their security product protects them. Being careful online and avoiding risky behaviors, even when using a security product, is still an important way to protect against malware infection or fraud attempt. Users should apply the same security vigilance when using VPNs. ### Who uses VPNs and why? What started out as an exclusive product for businesses to ensure the security of files shared among colleagues from different locations has become one of the world’s go-to tools for personal privacy and anonymity. Average Internet users now have access to more than 300 VPN brands on the market, and they can be used for various purposes. According to the [latest findings](<https://www.globalwebindex.com/reports/vpn-usage-around-the-world>) on VPN usage by market research company GlobalWebIndex, the top three reasons why Internet users around the world would use a VPN service are: 1. to access location-restricted entertainment content 2. to use social networks and/or news services (which may also have location restrictions) 3. to maintain anonymity while browsing the web Mind you, these aren’t new. These reason have consistently scored high in many VPN usage studies published before. [![](https://blog.malwarebytes.com/wp-content/uploads/2019/08/why-use-vpns-globalwebindex-600x148.png)](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/why-use-vpns-globalwebindex.png> "" )What motivates you to use a VPN? Here are the top reasons. (Courtesy of [GlobalWebIndex](<https://www.globalwebindex.com/reports/vpn-usage-around-the-world>)) Users from emerging markets are the top users of VPN worldwide, particularly Indonesia at 55 percent, India at 43 percent, the UAE at 38 percent, Thailand at 38 percent, Malaysia at 38 percent, Saudi Arabia at 37 percent, the Philippines at 37 percent, Turkey at 36 percent, South Africa at 36 percent, and Singapore at 33 percent. The report also noted that among the 40 countries studied, motivational factors for using VPNs vary. Below is a summary table of this relationship: [![](https://blog.malwarebytes.com/wp-content/uploads/2019/08/vpn-motivations-per-country-globalwebindex-600x182.png)](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/vpn-motivations-per-country-globalwebindex.png> "" )The majority of the countries, including the US, use VPNs to access better entertainment content. While this reveals that not every VPN user is concerned their privacy, we can glean from the graph which ones are. (Courtesy of GlobalWebIndex) ### Mobile VPN apps are most popular A couple more interesting takeaways from the report: A majority of younger users are surfing the Internet with VPNs, especially on mobile devices. The details are as follows: * A vast majority of Internet users aged 16-24 (74 percent) and 25-34 (67 percent) use VPNs. * Users access the Internet using VPNs on mobile devices, which in this case includes smart phones (69 percent) and tablets (33 percent). * 32 percent use VPNs on mobile devices nearly daily compared to 29 percent at this frequency on a PC or laptop. With so many (mostly younger) users adopting both mobile and desktop VPNs to view paid content or beef up privacy, it's no wonder that Android and iOS users often opt for free mobile VPN apps instead of paid products belonging to more established names. But parsing through hundreds of brands is no easy feat. And the more you investigate, the more difficult it is to choose. For the average user, this is too much work when all they want to do is watch Black Mirror on Netflix. And that's likely why so many unsafe apps make their way onto the market and are installed on users' mobile devices. ### "Free" doesn’t mean "risk-free" When it comes to free stuff on the Internet, the majority of us know that we don’t _really_ get something for nothing. Most of the time, we pay with our data and information. If you think this doesn’t apply to free mobile VPN apps, think again. "There is a significant problem with free VPN apps in Google Play and Apple’s App Store,” says Simon Migliano, head of research at [Top10VPN](<http://top10vpn.com/>), in an email interview. He further explains: “[V]ery few of the VPN providers offer any transparency about their fitness to operate such a sensitive service. The privacy policies are largely junk, while 25 percent of apps suffer DNS leaks and expose your identity. The majority are riddled with ad trackers and are glorified adware at best, spyware at worst.” In December 2018, Migliano published [an investigation report](<https://www.top10vpn.com/free-vpn-app-investigation/>) on the top 20 free VPN apps on Android that appears in UK and US Google Play searches. According to the report, more than three quarters (86 percent) of these VPN apps, which have millions of downloads, have privacy policies that are deemed unacceptable: the use of generic privacy policy templates that don’t have VPN-specific clauses; the apps track user activity or share user data with third parties; and little detail on logging policies that, in its absence, “could lull people into [a] false sense of security” to name a few. Privacy is just one of the many concerns Top10VPN had unearthed. Top free VPN apps aimed at iPhone users have similar problems. In fact, in [a follow-up investigation report](<https://www.top10vpn.com/news/vpn/free-vpn-ios-apps-data-sharing/>), 80 percent of these were considered non-compliant to Guideline 5.4, a new addition to Apple’s [App Store Review Guidelines](<https://developer.apple.com/app-store/review/guidelines/>), which was introduced a month ago. [![](https://blog.malwarebytes.com/wp-content/uploads/2019/08/guideline-5-4-apple-600x213.png)](<https://blog.malwarebytes.com/wp-content/uploads/2019/08/guideline-5-4-apple.png> "" )Apple dedicated this subsection in the updated guide for VPN apps (emphasis ours). Top10VPN also noted that several of the top 20 VPN apps on both Android and iOS have ties to China. There were other investigations in the past about mobile VPN apps, both free and commercial. Thanks to them, we’ve seen improvements over the years, yet some of these concerns persist. Also note the severe lack of user awareness, which helped such questionable free VPN apps to have high ratings, encouraging more downloads, and possibly keeping them at the top of the ranks. In a 2016 [in-depth research report](<https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf>) [PDF] published by the Commonwealth Scientific and Industrial Research Organization (CSIRO) along with the University of South Wales and UC Berkeley, researchers revealed that some mobile VPN apps, both paid and free, leak user traffic (84 percent for IPv6 and 66 percent for DNS), request sensitive data from users (80+ percent), employ zero traffic encryption (18 percent), and more than a quarter (38 percent) use malware or [malvertising](<https://blog.malwarebytes.com/glossary/malvertising/>). Traffic leaking was a problem not exclusive to free VPN apps. Researchers from Queen Mary University of London and Sapienza University of Rome had found that even commercial VPN apps were guilty of the same problem. They also found that the DNS configurations of these VPN apps could be bypassed using [DNS hijacking](<https://blog.malwarebytes.com/cybercrime/2015/09/dns-hijacks-what-to-look-for/>) tactics. Details of their study can be viewed in [this Semantic Scholar page](<https://www.semanticscholar.org/paper/A-Glance-through-the-VPN-Looking-Glass%3A-IPv6-and-in-Perta-Barbera/8dddc74101b601bbec5d2f76ece871c8b4dc8487>). ### Free VPNs behaving badly Research findings are one thing, but organizations and individuals finding and sharing their experiences of the problems surrounding free VPNs makes all the technical stuff on paper become real. Here are examples of events where free VPNs were (or continue to be) under scrutiny and called out for their misbehavior. _The Hotspot Shield complaint._ Mobile VPN app developer AnchorFree, Inc. was in the limelight a couple of years ago—and not for a good reason. The Center for Democracy & Technology (CDT), a digital rights advocacy group, had filed [a complaint](<https://cdt.org/files/2017/08/FTC-CDT-VPN-complaint-8-7-17.pdf>) [PDF] with the FTC for “undisclosed and unclear data sharing and traffic redirection occurring in Hotspot Shield Free VPN that should be considered unfair and deceptive trade practices under Section 5 of the FTC Act.” The complaint said that Hotspot Shield was found to inject JavaScript code into users’ browsers for advertising and tracking, thus, also exposing them to monitoring from law enforcement and other entities. CDT’s complaint led to [a denial](<https://www.zdnet.com/article/privacy-group-accuses-hotspot-shield-of-snooping-on-web-traffic/>) of the claims by the app developer and the ensuing formation of its annual [transparency report](<https://www.businesswire.com/news/home/20171129005716/en/AnchorFree-Issues-Transparency-Report-Highlighting-Governments%E2%80%99-Requests>). _HolaVPN caught red handed._ HolaVPN is one of the many recognizable and free mobile VPN apps. In 2015, a spammer by the pseudonym of Bui began a spam attack against 8chan, which later revealed that he/she was able to do so with the help of Luminati, a known network of proxies and a sister company to HolaVPN. Lorenzo Franceschi-Bicchierai noted in [his Motherboard piece](<https://www.vice.com/en_us/article/pga9yk/your-tool-to-access-netflix-content-abroad-is-hijacking-your-internet-connection>) that Luminati’s website boasted of having “millions” of exit nodes. Of course, these nodes were all free HolaVPN users. In December 2018, AV company, Trend Micro, [revealed](<https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/shining-a-light-on-the-risks-of-holavpn-and-luminati>) that they found evidence of the former KlipVip cybercrime gang (who were known to spread fake AV software or [rogueware](<https://blog.malwarebytes.com/threats/rogue-scanners/>)) using Luminati to conduct what researchers believe is a massive-scale ad click fraud campaign. _Innet VPN and Secnet VPN malvertising._ Last April, Lawrence Abrams of BleepingComputer [alerted iPhone users](<https://www.bleepingcomputer.com/news/security/mobile-vpns-promoted-by-you-are-infected-or-hacked-ads/>) of some mobile VPNs taking a page out of [fake AV’s](<https://blog.malwarebytes.com/cybercrime/2016/09/mobile-menace-monday-fake-av-makes-it-onto-google-play/>) book in ad promotion: scare tactics. Users clicking a rogue ad on popular sites found themselves faced with pop-up messages claiming that their mobile device was either infected or they were being tracked. Unfortunately, that was not the first time this happened—and may not be the last. Our own Jérôme Segura [saw first-hand](<https://blog.malwarebytes.com/threat-analysis/2017/04/malvertising-on-ios-pushes-eyebrow-raising-vpn-app/>) a similar campaign exactly a year before the Bleeping Computer report, but it was pushing users to download a VPN called MyMobileSecure. ### VPNs are not inherently evil In spite of inarguable evidence of the shady side of free mobile VPN apps, the fact is not all of them are bad. This is why it's crucial for mobile users who are currently using or looking into using a free VPN service to conduct research on which brands they can trust with their data and privacy. No one wants an app that promises one thing but does the complete opposite. When users insist on using a free VPN service, Migliano suggests that they should sign up to a service based on the freemium model, as these platforms don’t have advertising, so it keeps privacy intact. He also offered helpful questions users need to ask themselves when picking the best VPN that fits their needs. "Look for information about the company. Are they are [sic] a real company with real people, with an address, phone number and all the things that normal companies tend to have? Do they have a VPN-specific privacy policy that explains their logging and data retention policies? Have they taken steps to minimize the risk of data misuse, such as deleting all server logs in real time for example? Do they have proper customer support?" Also watch out for VPN reviews. They can be disguised adverts. Finally, users have the choice to go for a paid service, which is a business model a majority of well-established and legitimate mobile VPN services follow. Or [they can create their own](<https://blog.malwarebytes.com/security-world/2014/06/one-vpn-to-rule-them-all/>). As not everyone is savvy enough to do the latter, the former is the next logical choice. Migliano agrees. "The best thing you can do is pay for a VPN," he said. “It costs money to operate a VPN network and so if you aren’t paying directly, your browsing data is being monetized. This is clearly a cruel irony given that a VPN is intended to protect a user’s privacy." The post [300 shades of gray: a look into free mobile VPN apps](<https://blog.malwarebytes.com/privacy-2/2019/09/300-shades-of-gray-a-look-into-free-mobile-vpn-apps/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).