Make Sure You Won't Use These Malicious 7 VPN Apps

A virtual private network app can help you hide from prying eyes while browsing on your smartphone, but that doesn’t mean it has the privilege to control your OS or slur up your data. So before putting all your trust in a VPN on the Play Store with high ratings and millions of downloads, remember that there are a number of shady Android VPNs grabbing more consent than they need, which exposes you to privacy risks.

Eventually, it’s about how many normal and dangerous permissions each app has. Normal permissions are those granted by Android, meaning the app stays awake while being used or get online if it’s told to.

Dangerous permissions, on the other hand, can compromise your privacy, some of which are harmless or are required by the operating system, for example, when an app requires location data for checking if public wifi network can be trusted. However, dangerous permissions sometimes have unnecessary requests, such as when apps want the ability to change the system settings on your device, read your phone call list, or pinpoint your location.

And here is the list of popular VPN apps for Android users which are grabbing more consent than they actually need.

Yoga VPN: 6 dangerous permissions

Yoga sits at the top of this list with six dangerous permission requests, including one to read your phone state. The app wants to know your cell network, your phone number, as well as if you are on a call, which is unnecessary.

And in Yoga’s privacy policy, which is 373 words long, it says it doesn’t collect your personal info and data collection may happen only if you communicate with it.

You should immediately avoid free VPNs regardless of where you find them. This is true for Yoga, which is in Top10VPN’s analysis of free apps having too few privacy protections.

proXPN VPN: 5 dangerous permissions

This app comes with unlimited connection time and data transfer, along with a zero-log policy. However, its base is not in the US and any VPN not based in the UK, US, New, Zealand, Australia, or Canada, also known as “Five Eyes” intelligence community, is not safe if you want the best protection for your privacy. Five Eyes calls for something many people consider the end to online privacy through installing government backdoor access to private communication tech.

Since 2017, proXPN hasn’t updated the app on the Play Store while its Twitter accounts died in 2018. Additionally, many of the company’s security certificates have been expired since March 2019, with an increasing number of users complaining about failing to connect. On the other hand, one of its two public phone numbers is not in operation while the other stopped receiving messages.

Head of technical support and customer service at proXPN Ian Kline said that the company is still assisting users through email and Facebook.

Kline said in his email:

When asked about the risky permission in proXPN, Kline said that they are necessary for the interface to update devices’ location just on the map shown, when the phone is unlocked, as well as when server locations are updated. Kline added:

Anyway, you shouldn’t let any VPN, including proXPN, access phone calls on your device, track your locations, or write to the SD card on your phone.

Hola Free VPN: 4 dangerous permissions

This app is infamous for not only being a bandwidth-borrowing botnet but also unencrypting phone state data.

When the botnet scandal came to light, Ofer Vilenski - the company’s CEO, admitted that a spammer had had the VPN, but insisted that such bandwidth harvesting was common for this service.

The CEO wrote on Hola’s blog at the time:

However, in late 2018, Trend Micro’s researchers warned Hola’s would-be customers that:

oVPNSpider: 4 dangerous permissions

While this app has earned 4-star rating on the Play Store and 4.5 stars on Apple’s App Store, but that doesn’t say much. According to the risk index summary by Top10VPN, there were DNS leaks, the type that happens in cheap VPNs and exposes users’ browsing traffic to their internet service provider. In addition, oVPNSpider is also positive for adware and malware.

See4.Me VPN, Zoog VPN, and SwitchVPN: 4 dangerous permissions

These three VPNs ask for the same, unnecessary things: detailed location data of users, they also want to read as well as write data on users' SD cards, all of which are unnecessary.

Among these three services, only Seed4.Me VPN had responses to privacy researchers, describing how it used the features to support customers, as well as instructing them on disabling permissions.

However, for ZoogVPN, it has to do a few things before letting users sign off. Those include making a kill switch available for Android users, telling them how long it will keep usage logs, and not being located in a country affected by EU data retention laws that preserve troves of metadata like NSA. A spokesperson from this service wrote that its app doesn't require permissions outside VPN service provision's scope.

According to SwitchVPN, the requests for location permissions were to find the closest server to users. A closer server allows a faster connection, but that can be achieved with approximate locations and doesn't necessarily require users' exact addresses. The service said that users can disable the permission and that its app doesn't send location or personal data to the company. 

SwitchVPN said:

To view the apps' permission requests, users can visit Google Play Store's official page and click on "View details" under "Permissions."

What VPN can you trust?

NordVPN is probably the most trusted in 2019, at least up to now. It has a strict no-logging policy, a kill switch, as well as 3,500 servers to choose covering 61 countries. TorGuard is another good option, you can pay it with bitcoins and it offers an anonymous email. In addition, TorGuard is offering over 3,000 servers.