Skip to main content
LiMP VPN
All news

281 Free Android VPNs Leak Your Traffic, 2026 Study

281 Free Android VPNs Leak Your Traffic, 2026 Study

In short: In July 2026 researchers published a study of 281 free Android VPN apps from Google Play and found that many of them do the opposite of what a VPN promises: they leak DNS and browser traffic outside the encrypted tunnel, send data in cleartext, use broken encryption, or ship no encryption at all. The flawed apps have been installed more than 2.4 billion times combined. The lesson is simple — a VPN is a trust tool, and a free app that leaks your data is worse than no VPN.

What happened

Researchers from the University of Michigan, the University of New Mexico and IIT Delhi built a testing framework called MVPNalyzer and used it to audit 281 of the most popular free VPN apps on the Google Play Store. The results were presented at the NDSS security conference and widely reported in July 2026. It is described as the first framework designed to systematically and repeatedly test the security and privacy of mobile VPNs. If you want to know which VPN protections actually stop these leaks, start with our explainer on the kill switch and DNS-leak protection.

The headline number is scale: apps flagged with at least one problem account for more than 2.4 billion installs. In other words, the failures are not confined to obscure apps — they sit in software that hundreds of millions of people trust with their most sensitive traffic.

How "free" VPNs leak your data

The study catalogued several distinct failure modes:

Traffic and DNS leaks. 29 apps leaked traffic outside the tunnel. Of those, 24 leaked DNS requests — exposing every site a user visits to the local network and provider — and those apps alone account for roughly 360 million installs. Six leaked full browser traffic outside the tunnel entirely.

No encryption at all. Four apps ran "tunnels" with no encryption whatsoever, and some set the data cipher to "none" — switching protection off while still calling themselves a VPN. Over one in five used weak or outdated ciphers such as Blowfish and triple DES.

Cleartext configuration. Five apps sent their VPN configuration files in cleartext. Researchers showed this lets an attacker on the same network steal the file and redirect the victim to a server they control — effectively hijacking the tunnel.

Silent tracking. 76 apps transmitted device identifiers such as Android's Advertising ID to third parties, feeding the exact tracking and fingerprinting that a VPN is supposed to reduce. More than 60% failed basic security hardening.

Why is a free VPN often the real product?

Running VPN servers, bandwidth and audits costs money. When an app charges nothing, the revenue usually comes from somewhere else — advertising SDKs, data brokerage or analytics baked into the app. That is why so many free VPNs quietly ship trackers: your browsing metadata and device identifiers are the business model. A trustworthy VPN earns money from subscriptions and commits to a no-logs policy, so it has neither the incentive nor the stored data to sell.

What it means for your data

A leaking VPN gives you a false sense of safety, which is more dangerous than knowing you are exposed. If DNS or traffic escapes the tunnel, your provider and anyone on the local Wi-Fi can see the sites you visit; if the tunnel has no encryption, login data and messages can be read in transit; if the config leaks in cleartext, an attacker can silently reroute you through a malicious server. And the tracking identifiers many of these apps leak can tie your activity back to you for months. If you suspect your data has already surfaced, check with our guide on how to check for a personal-data leak.

How to pick a VPN you can trust

Prefer a paid, transparent service. A clear subscription and a published no-logs policy are a better signal than "free forever." If you are not paying, ask what is being monetized.

Check for DNS-leak protection and a kill switch. These are exactly the features that stop the leaks the study found. See how they work on our features page.

Look at the encryption. Modern VPNs use strong, current ciphers and protocols — not Blowfish, triple DES or "none."

Review permissions and trackers before installing, and set your VPN up correctly. Our step-by-step guide to setting up a VPN on Android walks through it.

LiMP VPN is a paid, no-logs service for iOS and Android with DNS-leak protection and a kill switch built in — see the plans on our pricing page.

Sources

This report is based on the MVPNalyzer study covered by The Hacker News (10 July 2026) and Michigan Engineering News, and reported in Russian by Anti-Malware.ru.

281 Free Android VPNs Leak Your Traffic, 2026 Study | LiMP VPN