A sweeping investigation into free VPN apps on the Google Play Store has uncovered alarming security failures: 29 apps leaked unencrypted traffic, and 24 exposed users’ DNS queries, leaving millions of Android device owners vulnerable to surveillance and data interception. The findings, published this week by the cybersecurity testing organization Top10VPN, reveal that many of the most popular free VPNs fail at their most basic job—keeping your online activity private.

Researchers tested over 200 free VPN apps from Google Play with at least 50,000 installs each. The study focused on the common but critical mistake of traffic leaks: whether apps actually routed all device data through their encrypted tunnels, and whether DNS requests—the internet’s equivalent of a phonebook lookup—were hidden. The results: 29 apps leaked raw traffic outside the VPN tunnel, meaning anyone on the same Wi-Fi network could spy on unencrypted data. Twenty-four exposed DNS queries to the user’s internet service provider or other interceptors, essentially logging every website visited. In many cases, the VPN icon sat in the status bar, falsely signaling a secure connection.

What Exactly Went Wrong? The Leaky VPN Breakdown

A Virtual Private Network is supposed to encrypt all device traffic and send it through a remote server. When it fails, the consequences are twofold:

  • Traffic leaks: Some apps only routed specific browser traffic while leaving other apps—like email, social media, or background processes—exposed. In other cases, the VPN crashed silently during network changes (say, switching from Wi-Fi to mobile data) without falling back to a kill switch. The study found that 29 apps never established a proper tunnel, or dropped it without warning.

  • DNS leaks: DNS queries translate human-friendly URLs (like windowsnews.ai) into IP addresses. When a VPN leaks DNS, your ISP—or anyone monitoring the network—can see exactly which sites you visit. Twenty-four apps sent DNS requests directly to Google’s or the ISP’s servers instead of through the VPN, completely bypassing the privacy promise.

Among the offending apps were some with millions of downloads, advertised as “fast free VPN,” “unlimited proxy,” and “secure hotspot shield.” Names leading the list include Super VPN Fast Proxy, Turbo VPN, and Secure VPN—all ranking among Google Play’s top downloads. Researchers also flagged apps that injected their own tracking libraries or required invasive permissions, compounding the privacy invasion.

What This Means for You

For Everyday Users

If you installed a free VPN because it was advertised as a simple way to browse privately on public Wi‑Fi or access geo-blocked content, odds are you trusted the green “VPN is active” key icon. That trust is misplaced. Without a fully encrypted tunnel, hackers on the same coffee shop network can capture login credentials, credit card numbers, or personal messages sent over HTTP. Even HTTPS traffic isn’t fully safe: although the content is encrypted, an eavesdropper still sees which servers you contact—and DNS leaks reveal every domain.

More disturbing, many of these apps siphon personal data in the background. The research notes that several free VPNs sent telemetry to third-party analytics and ad networks, including Facebook and Yandex, without clear disclosure. So not only did they fail to protect you, they actively harvested your behavior.

For Power Users and IT Administrators

For those responsible for corporate devices or family phones, the risk multiplies. A leaked DNS query from an employee’s phone could expose internal service names or reveal that a device has connected to a malicious domain. Meanwhile, if a family member uses a leaky VPN to pretend privacy while actually exposing the household’s web history to the ISP, the whole network’s reputation is at stake. This is especially concerning in regions where ISPs sell browsing data or where journalists and activists rely on VPNs for safety.

How We Got Here: The Free VPN Gold Rush

The Google Play Store is awash with free VPN apps—over 300 claim the keyword. Their explosion follows a simple formula: offer “unlimited” data, show ads, and harvest whatever user data can be monetized. Legitimate VPN providers, such as ProtonVPN, Windscribe, or TunnelBear, offer free tiers as loss leaders for their paid services, but they maintain privacy standards and undergo independent audits. The bottom‑dwelling apps, however, burn through venture capital or ad revenue without genuine security engineering. Google’s automated app review struggles to catch subtle VPN failures because they typically involve run‑time behavior, not malware signatures. Until now, no large‑scale test publicly called out the leaky ones.

Prior incidents hinted at the problem. In 2022, researchers discovered that several VPN apps were sharing users’ real IP addresses with advertisers. Google has since tightened Play Store policies to require VPN apps to disclose data collection, but enforcement remains uneven. This new research is the first to systematically measure traffic and DNS integrity across hundreds of apps using a custom testbed that simulated real‑world network switches.

What to Do Now: Protect Your Android Phone

1. Audit your installed VPNs immediately. Open Settings → Security & privacy → More security settings → VPN (or search “VPN” in Settings). You’ll see a list of every app that has created a VPN profile. If you don’t recognize an entry, or if it corresponds to a free app you never explicitly wanted, remove it. Tap the gear icon next to the VPN name and select “Forget VPN.” Then uninstall the app itself.

2. Check for leaks on your current VPN. With the VPN active, visit a leak‑testing site like ipleak.net or dnsleaktest.com on your phone. Both show your public IP address and DNS server. If the IP does not match the VPN’s claimed exit server, or if DNS servers belong to Google, your ISP, or a different provider, you have a leak. Run the test, disconnect the VPN, and see if results change.

3. Switch to a vetted provider. Free doesn’t have to mean dangerous, but you must choose one that publishes third‑party audit reports. ProtonVPN’s free plan, for instance, has no data cap and doesn’t sell user data; Windscribe offers 10 GB/month with a clear privacy policy. If your budget allows, a paid service like Mullvad (€5/month) or IVPN comes with guaranteed leak protection and a kill switch that has been battle‑tested.

4. Enable built‑in Android safeguards. Starting with Android 12, you can set a “Private DNS” server (dns.google or one.one.one.one) that encrypts all DNS queries at the system level, even outside a VPN. Go to Settings → Network & internet → Private DNS, select “Private DNS provider hostname,” and enter dns.quad9.net (for malware filtering plus privacy) or one.one.one.one. This won’t hide your IP, but it cripples ISP snooping on your browsing.

5. Use a hardware or organizational VPN where possible. If your workplace offers a managed VPN, use it. Home users can set up a VPN on their router, protecting every device, including smart TVs and IoT gadgets, which don’t support VPN apps natively. WireGuard‑based routers are easy to configure and eliminate the “random app” trust problem entirely.

6. Report and review. Flag leaky apps on Google Play by scrolling to the bottom of the app page, tapping “Flag as inappropriate,” and selecting “Other objection…” with a note about the privacy failure. Leaving a detailed review warning others can limit further installs while Google investigates.

Outlook: Will Google Crack Down?

Google’s current policy requires VPN apps to disclose data collection and prohibits deceptive behavior, but it does not mandate leak testing. The new research puts pressure on the company to introduce automated, dynamic analysis that simulates real‑world conditions—such as network handoffs—before an app can use the VPN service. Chrome’s desktop browser already warns when a VPN extension leaks DNS; a similar check on Android could become part of Play Protect. Until then, the responsibility falls on you. Trusting a free VPN should never be a convenience decision—it’s a security decision, and the evidence says most free options are failing that test.