Are You Using a VPN or a Malware Disguised as a VPN to Gain Access to Your Data? Find Out With These Recent Studies

Image by Stefan Coders from

Recent research has revealed that many VPNs currently installed on Android and iOS are infested with malware of all kinds. From Trojans, spyware, riskware and adware programs, users face all kinds of risks. And this goes for both free and paid alternatives.

Additional to the inadequate security, some VPNs risk user privacy — the one job they should be doing — by asking all kinds of permissions. Careful analysis by security experts shows the sensitive information these services ask access to even when they only need basic data to safely connect the user to the internet. Some go as far as demanding access to external storage and precise location.

While some users may not mind the constant bombardment with ads if it’s the price of staying anonymous, no user wants a service that exposes them to cybercriminals, collects and sells their personal data to third parties or steals from them.

Don’t wait to install a VPN to learn about it. Before you even install it, be sure what the company stands for and where you stand: Are you a customer or a commodity? Can the vendor sustainably ensure your online safety?

Granted, all VPNs have certain limitations that no particular VPN can get over, making it necessary to invest in other types of internet privacy tools as well. However, you should at least get the best of what is available.

If you know what to look for, doing your due diligence is much easier.

1. Potentially “Dangerous” Permissions

Every time you grant permission to an app it gains deeper access into your private world. Ideally, you’d give permission to the least sensitive information because this poses little risk to you.

The Android documentation for app developers groups permissions into two categories depending on the amount of risk they pose to the user:

i. Normal permissions don’t pose any risk to your privacy. The system readily allows them to the app.

ii. Dangerous permissions are identified as those which can potentially disrupt the user’s privacy or normal operation of the device. These are the ones you’re prompted to grant.

VPNs need some (dangerous) permissions to do their job: Protect the user’s privacy. As the user, you don’t want to grant any unnecessary permissions. Yet some VPN providers still insist on getting more access than necessary. TheBestVPN recently performed a study to find out the app permissions most VPNs ask. The study was performed on 81 VPN services and the findings revealed that many of them ask for unnecessary and very suspicious and dangerous permissions including:

I. Permission to read and write external storage.

II. Permission to access phone state including phone number, cellular network and call status.

III. Permission to use WiFi and/or mobile data to determine the location of the device.

IV. Permission to access precise location.

V. Permission to read or write system settings.

VI. Permission to read low-level log files.

A preview of some of the VPNs and the number of permissions they requested

2. Data protection guarantees

When you’re investing in a VPN service, you expect that your internet access will be private and anonymous but also that your data will be adequately protected. Otherwise, there’s no point in trying to be anonymous.

Yet reading through the legal agreements of many VPNs, you realize that this isn’t usually a guarantee. What they promise on the Privacy Policy (the legal document) falls short of what they claim on the website (the marketing platform).

In a study of 283 Android VPNs, CSIRO found that 18% didn’t encrypt their data at all. A whopping 84% leaked user data and two out of three used third-party tracking libraries. All this is against what a VPN does.

First, a VPN is supposed to encrypt your data so that if anyone were to see it, they couldn’t make any sense of it. VPN providers should have technology in place to protect against data leakages and they shouldn’t share user data with any third parties.

A preview of a part of the research by CSIRO that shows 19% of free apps unencrypted

3. Questionable Logging policies

Logging is one of the most contentious areas when it comes to the security risks of VPNs. Depending on the kind of data that’s recorded about you and how long it’s stored, your privacy hangs in the balance. Most VPNs claim zero-log policy but not all VPNs keep this claim. However, free VPNs definitely log on a larger scale. This further stresses the fact that majority of VPNs can’t be trusted to make users more secure.

VPNs keep two types of logs: Connection and usage logs. While the former may not include personally identifiable data, the later can be used to identify you. However, not all logs are dangerous. VPN providers require certain data to provide quality service. This information shouldn’t be used to identify you online or offline.

In an earlier research, 26 out of 115 VPNs collected log files; these included three or more important log files. Of course, this information was in their privacy policy but it was definitely very hidden, especially to the unkeen user. If you’re serious about privacy and anonymity, you’ll insist on paying for the VPN service itself using an anonymous payment option such as cryptocurrency.

How to stay safe 

How can you stay safe when even the premium services risk your safety?

Always verify that the permissions asked are necessary. If you feel like a VPN is asking too much, do some research to find out if indeed the permission is unnecessary.

The above studies have shown that there are many issues and gray areas with most VPNs. It’s important to read through the legal documents because these are what hold the service providers accountable. Don’t fall for the marketing.