With internet users growing ever-more concerned about their privacy, smartphone users are turning to virtual private network (VPN) apps to keep their data secure while online. While the prospect of a free-to-download service might appeal to the budget-conscious users, a new study has found that a shocking number of VPN apps available for Android devices offer no encryption at all, and in fact actively inject smartphones with harmful content.

In a study of 283 Android VPN apps by Australia's Commonwealth Scientific and Industrial Research Organisation (CSIRO), alongside researchers from the University of South Wales and UC Berkeley in the US, more than a third (38%) contained malware or malvertising designed to harm users' smartphones or track their activity. At the same time, approximately one in five apps did not even encrypt internet traffic – the basic function of a VPN – while over eight in 10 were found be leaking user data.

The researchers were able to analyse the security – or lack thereof – of each VPN by downloading tools that enabled them to reverse-engineer Android application package (APK) used in each app. This allowed them to analyse each app's source code and Android Manifest file, which identifies core information about an app including the access permissions they require from users.

Each VPN was then given an anti-virus (AV) rank based on the findings, with a lower number being better. While some of the security flaws were identified as being caused by lack of support from Android or poor design, a number of apps "deliberately sought to collect personal user information that could then be sold on to external partners", according to CSIRO.

DressCode Android malware spotted in over 40 Google Play Store apps and 400 apps on third-party app stores
37% of VPN apps available for Android devices contain malware or malvertising, researchers found Reuters

The dangers of a free mobile VPN

More than 80% of the apps downloaded for the study requested access to sensitive data including user's accounts and text messages. sFly Network Booster, which has since been deleted from the Google Play app store, was found to incorporate spyware that allowed it to read users' messages and potentially send texts to premium-rate numbers.

Two of the VPNs, Hotspot Shield and WiFi Protector VPN, were found to be actively injecting JavaScript code into users' traffic that allowed them to be tracked and targeted with the app provider's own ads.

Worst-performing VPNs by AV-rank

1. OkVpn

2. EasyVpn

3. SuperVPN

4. Betternet

5. CrossVpn

6. Archie VPN

7. HatVPN

8. sFly Network Booster

9. One Click VPN

10. Fast Secure Payment

Despite being collectively downloaded and installed more than 500,000 times, the researchers found that less than 1% of reviews for the VPN apps made any mention of security or privacy concerns.

How to stay safe when downloading a VPN

CSIRO researcher Dali Kaafar said that users should shop around and pay close attention to the functionality and reviews of VPN services before installing them on their devices.

"Always pay attention to the permissions requested by apps that you download," said Kaafar. "This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services."

A total of 49 of the 283 VPN apps identified have been removed from Google Play since the study was carried out in August 2016.