Installing some of the most popular Android free virtual private networking (VPN) apps could not only put users' privacy at risk, but also give them malware, large-scale testing has found.
Privacy Central tested 150 of the most popular free VPN apps for Android available in Google's Play store.
The apps have collectively seen over 260 million installations, and Privacy Central looked for how effective the encryption they use is, browser leaks, malware, and dangerous functions and behaviours.
Alarmingly, over a quarter of the VPN apps tested leaked domain name system (DNS) information and failed to protect users. Four apps leaked WebRTC (a real time communications protocol for browsers) data; two leaked DNS, Internet Protocol addresses and WebRTC, data that VPNs is supposed to hide from networks they operate on.
Privacy Central also scanned the apps on Google's VirusTotal site, which uses over 60 anti-virus utlities. Disturbingly, 27 of the 150 apps, several with millions of installs, tested positive for malware on VirusTotal.
On top of the above, two-thirds of the apps tested contain functions with potential for privacy abuse, and the vast majority asked for intrusive permissions from users, categorised as dangerous by the official Android developer documentation.
Some apps would ask permission to access cameras and microphones for recording without users' knowledge, accessed contacts and secretely sent SMS text messages as well.
The only thing all apps did correctly as to establish encrypted VPN connections Privacy Central said.
However, network testing revealed that over half of the apps suffered performance issues including packet loss, low bandwidth and excessive buffering, issues likely to cause problems with communications apps and gaming in particular.
Privacy Central slammed the freebie apps as being "nowhere near good enough" and said risky permissions and functions are not found in paid-for VPNs, which prevents privacy abuse.