A research team has issued a warning over the lack of security in many VPN apps available from Google Play. A worrying 38% of the apps tested contained some kind of malware while 67% featured at least one third-party tracking library. More than eight out of ten leaked IPv6 traffic.

There was a time when the Internet was a fairly straightforward place to navigate, with basic software, basic websites and few major security issues. Over the years, however, things have drastically changed.

Many people now spend their entire lives connected to the web in some way, particularly via mobile devices and apps such as Facebook and the countless thousands of others now freely available online.

For some users, the idea of encrypting their traffic has become attractive, from both a security and anti-censorship standpoint. On the one hand people like the idea of private communications and on the other, encryption can enable people to bypass website blocks, wherever they may occur and for whatever reason.

As a result, millions are now turning to premium VPN packages from reputable companies. Others, however, prefer to use the all-in-one options available on Google’s Play store, but according to a new study, that could be a risky strategy.

A study by researchers at CSIRO’s Data 61, University of New South Wales, and UC Berkley, has found that hundreds of VPN apps available from Google Play presented significant security issues including malware, spyware, adware and data leaks.

Very often, users look at the number of downloads combined with the ‘star rating’ of apps to work out whether they’re getting a good product. However, the researchers found that among the 283 apps tested, even the highest ranked and most-downloaded apps can carry nasty surprises.

“While 37% of the analyzed VPN apps have more than 500K installs and 25% of them receive at least a 4-star rating, over 38% of them contain some malware presence according to VirusTotal,” the researchers write.

The five types of malware detected can be broken down as follows: Adware (43%), Trojan (29%), Malvertising (17%), Riskware (6%) and Spyware (5%). The researchers ordered the most problematic apps by VirusTotal AV-Rank, which represents the number of anti-virus tools that identified any malware activity.

The worst offenders, according to the report

The researchers found that only a marginal number of VPN users raised any security or privacy concerns in the review sections for each app, despite many of them having serious problems. The high number of downloads seem to suggest that users have confidence in them, despite their issues.

“According to the number of installs of these apps, millions of users appear to trust VPN apps despite their potential maliciousness. In fact, the high presence of malware activity in VPN apps that our analysis has revealed is worrisome given the ability that these apps already have to inspect and analyze all user’s traffic with the VPN permission,” the paper reads.

The growing awareness of VPNs and their association with privacy and security has been a hot topic in recent years, but the researchers found that many of the apps available on Google Play offer neither. Instead, they featured tracking of users by third parties while demanding access to sensitive Android permissions.

“Even though 67% of the identified VPN Android apps offer services to enhance online privacy and security, 75% of them use third-party tracking libraries and 82% request permissions to access sensitive resources including user accounts and text messages,” the researchers note.

Even from this low point, things manage to get worse. Many VPN users associate the product they’re using with encryption and the privacy it brings, but for almost one-fifth of apps tested by the researchers, the concept is alien.

“18% of the VPN apps implement tunneling protocols without encryption despite promising online anonymity and security to their users,” they write, adding that 16% of tested apps routed traffic through other users of the same app rather than utilizing dedicated online servers.

“This forwarding model raises a number of trust, security, and privacy concerns for participating users,” the researchers add, noting that only Hola admits to the practice on its website.

And when it comes to the handling of IPv6 traffic, the majority of the apps featured in the study fell short in a dramatic way. Around 84% of the VPN apps tested had IPv6 leaks while 66% had DNS leaks, something the researchers put down to misconfigurations or developer-induced errors.

“Both the lack of strong encryption and traffic leakages can ease online tracking activities performed by inpath middleboxes (e.g., commercial WiFi [Access Points] harvesting user’s data) and by surveillance agencies,” they warn.

While the study (pdf) is detailed, it does not attempt to rank any of the applications tested, other than showing a table of some of the worst offenders. From the perspective of the consumer looking to install a good VPN app, that’s possibly not as helpful as they might like.

Instead, those looking for a VPN will have to carry out their own research online before taking the plunge. Sticking with well-known companies that are transparent about their practices is a great start. And, if an app requests access to sensitive data during the install process for no good reason, get rid of it. Finally, if it’s a free app with a free service included, it’s a fair assumption that strings may be attached.