Your Free VPN App Might Be Spying on You

You may be doing everything you can to protect your privacy online, using tools like multi-factor authentication, a secure password manager, and a VPN, but unfortunately, not all privacy-focused apps and services actually deliver on their promises. In its November fraud and scam advisory, Google warns users about VPN apps and extensions that appear legitimate but are actually malware vectors.

VPNs Can Actually Be Spyware

A VPN, or virtual private network, makes your Internet activity much harder to track by routing your traffic through a different connection rather than your regular Internet Service Provider (ISP). This allows you to hide your IP address and location, hide your browsing data, and protect your information and devices from bad actors.

According to Google, malicious VPNs (posing as real) spread information stealers, remote access Trojans and banking Trojans to users’ devices once installed, allowing hackers to access sensitive personal data such as browsing history, financial credentials and cryptocurrency wallet information. This means that an app you rely on to keep your information private could do the exact opposite. Cybercriminals capitalize on users’ trust in these services, creating apps that look like legitimate VPNs, but are actually dangerous spyware.

How to keep your VPN app secure

As with any app or extension, only download or install a VPN from an official source like the Google Play Store. Although malware can sometimes sneak in, this method is generally safer and more reliable than sideloading through an email app or other unverified site.

In January 2025, Google launched a VPN verification process to help users identify trustworthy VPN apps in the Google Play Store. To earn a “verified” badge, VPN apps must undergo Mobile Application Security Assessment (MASA) Level 2 validation and participate in independent security reviews. Badges are awarded only to VPNs published for at least 90 days and reaching 10,000 installs and 250 user reviews.

Of course, this system isn’t perfect either: as TechRadar reported earlier this year, a popular (free) Chrome VPN extension got a badge and was later found to be spying on users. This is why you should rely on a reputable VPN service, which means you will probably have to pay for it. Free VPNs are much more likely to become a privacy nightmare, and any app that seems too good to be true probably is. You won’t get unlimited, free traffic without sacrificing something.

Finally, review VPN permissions carefully and allow the minimum access possible for the app or extension to work. (You should do this with any app you download, and you should audit apps regularly to remove unnecessary permissions.) You can check your VPN service’s support pages to find out which permissions are essential. This should not include access to your contacts, camera, microphone or photos, for example.