Android Owners, Watch Out for These 7 Shady VPN Apps
Virtual private network apps are supposed to protect your privacy, not put it at risk by requesting dangerous permissions.
Rae HodgeFormer senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
A reliable and well-tested virtual private network app will shield your mobile browsing from prying eyes -- without slurping up your data or totally controlling your operating system. So before you trust that highly rated VPN app with a million installs on the Google Play Store, just know that there are plenty of shady Android VPNs that grab more permissions than they actually need and put your privacy at risk.
All the research boils down to each app's number of "normal" permissions and "dangerous" permissions. "Normal" permissions are usually granted by Android -- they let apps stay awake during use or get online when you tell them to.
"Dangerous" permissions can compromise privacy. Some are harmless or required by Android. Like when an app asks for general location data to check whether a public Wi-Fi network is trusted. But sometimes "dangerous" permissions include unnecessary requests, like when an app wants to be able to change your system settings, read your list of phone calls, or pinpoint your exact location. Not cool.
Yoga tops the list with six requests for dangerous permissions, including reading your phone state. It wants to know your phone number, what cell network you're on, and whether you're on a call. Why do they need this data?
You should already be avoiding free VPNs no matter where you find them. That holds true for Yoga, which found itself in Top10VPN's analysis of free apps with too few privacy protections. But for Yoga to really find itself, it would have to know where its headquarters are. We'd help, but we haven't been able to find out either since it has not yet responded to our request for comment.
Yes, this VPN offers unlimited data transfer and connection time. And yes, it has a zero-log policy (at least after two weeks, when the logs are supposedly torched).
But proXPN is based out of the US. That alone is a deal breaker. Any VPN based out of the US, UK, Canada, Australia and New Zealand -- the so-called "Five Eyes" intelligence community -- should generally be avoided if you're looking to max out your privacy. Five Eyes openly calls for what most people consider an end to online privacy via the installation of government backdoor access into private communication technology.
We reached out to proXPN to ask a few questions about the number of permissions its app requests. But the first question was whether the company was still operating.
The app hasn't been updated on Google Play since 2017, the company's two Twitter handles have been dead since 2018, many of its site's security certificates have been expired since March, a growing number of user reviews complain about being unable to connect, and of the two public phone numbers listed, one is no longer in operation and the other is no longer accepting messages.
Ian Kline, who heads up proXPN customer service and technical support, did respond and said the company is still assisting customers via Facebook and email.
"Regarding the proXPN app, there were no updates on the app which is the client-side since we are already working on our servers. We have plans to update the official app soon," he said in an email.
I asked Kline about proXPN's risky permissions, and he said:
"Those permissions are needed for the UI to update the location only on the map shown as well as when locking the phone and when updating server locations," Kline said in the email. "If you don't prefer to use the official app you can use the official OpenVPN client which is available in the app store or the official IPsec client from Strongswan if you prefer on using IPsec/IKEv2 VPN."
Regardless, there's no reason to let proXPN (or any other VPN) access your phone calls, track your every footstep and write to your SD card when its limited number of servers can't even get you to stream Netflix.
If Hola's notorious history as a bandwidth-borrowing mercenary botnet wasn't enough to make you approach this VPN with caution, then just decide whether you're cool with giving it your phone state data (the same thing proXPN and Yoga ask for) and having that data be totally unencrypted.
Back when the botnet scandal broke, Hola CEO Ofer Vilenski admitted it'd been had by a "spammer," but contended this harvesting of bandwidth was typical for this kind of service.
"We assumed that by stating that Hola is a [peer-to-peer] network, it was clear that people were sharing their bandwidth with the community network in return for their free service," he wrote on the company's blog at the time.
But researchers from Trend Micro offered a warning to would-be Hola users late last year, stating "Hola VPN is not a secure VPN solution -- rather, it is an unencrypted web proxy service."
Does oVPNSpider need access to your call logs for it to function as a VPN? Does it need to have your precise location, to put stuff on your SD card, to be able to change your system settings? Absolutely not.
As for oVPNSpider's 4.5-star rating from the App Store, and 4-star rating from Google Play? I'm not convinced. Top10VPN's risk index summary detected DNS leaks, a type of critical security flaw in cheap VPNs which exposes your browsing traffic to your internet service provider. It also said oVPNSpider tested positive for malware and adware.
We did not get an immediate response from oVPNSpider when we reached out for comment.
The final trio: 4 dangerous permissions
SwitchVPN, Zoog VPN and Seed4.Me VPN all ask for the same things: They want specific location data about you, and they want to read and write data on your SD card. All unnecessary.
We do have to give a shout-out to Seed4.Me VPN. At least it responded to privacy researchers, described its use of the features for customer support, and instructed users on disabling permissions (noting the permissions are disabled by default).
But SwitchVPN and ZoogVPN? ZoogVPN has seen a good amount of praise online, but before I can sign off on it, it needs to do a few things: make a kill switch available for Android users, tell us how long it's keeping usage logs, and not be located in a country with EU data retention laws which preserve NSA-like troves of metadata in a mass surveillance swamp. Until then, we can still do better.
The location permissions requests, SwitchVPN told us, were to nail down the closest server to the user. But while a closer server is desirable for connection speed, that can usually be accomplished using more approximate locations rather than pinpointing the user's exact address. SwitchVPN did say users can disallow permission, and that the app "does not send any personal or location data to SwitchVPN."
"The app requires access to storage so that it can download the OpenVPN configuration file and connect to it. As we use OpenVPN, it requires configuration file to be loaded in order to connect," SwitchVPN said in an email. "So I think it's not fair to mention as if we collect this data and store with us. As we do not."
SwitchVPN has a kill switch but it's still US-based, so I'll pass.
ZoogVPN got back to us also.
"Our app does not require any permissions that are outside the scope of VPN service provision," a spokesperson wrote. "There is nothing over and above [...] what a VPN app requires to function on an Android device."
For a fresh look at Top10VPN's investigation and research into apps with risky permissions, visit the site's August update.
Who to trust?
Our favorite mobile VPN services are in a tight race against each other, but ExpressVPN is our current Editors' Choice and the fastest VPN we've tested in 2022. Surfshark is another excellent mobile option due to its lightweight app, budget-savvy pricing tiers and fast speeds. NordVPN is also a solid choice. Its wide platform compatibility and selection of 3,500 servers in more than 61 countries make it hard to beat.
TorGuard is really giving NordVPN a run for its money, though. It accepts payment via bitcoin and offers an anonymous email. It's also closing the gap against NordVPN in terms of server count, having recently doubled its offerings to more than 3,000.
Watch this: VPN explained: A privacy primer -- with robots and race cars