VPN Warning List – Is your VPN safe?

Can I let you in on a little secret?

When it comes to protecting your privacy, most VPNs fail.

Many popular, highly-rated VPN services will leak your IP address, infect your computer with malware, install hidden tracking on your devices, steal your private information, leave your data exposed to third parties, and even steal your bandwidth.

As you will see below, many of the popular VPNs are not safe to use – especially if you are using a VPN to protect your privacy online.

VPNs can look perfect on the surface and be an absolute privacy and security disaster when you take a closer look.

To combat the growing confusion and deception in the VPN market, I decided to create the VPN Warning List (which is a work in progress). This warning list contains information that I personally find to be troubling with various VPNs and the overall VPN market.

Disclaimer: This list does not necessarily reflect the latest information on every VPN service and/or app. Everything on this list is based on information that is well sourced and freely available online.

VPN WARNING List

5 Eyes countries – Always consider the legal jurisdiction of your VPN provider. The following five countries are working together in an alliance to collect, share, and analyze mass surveillance data: United States, United Kingdom, Australia, Canada, and New Zealand.

14 Eyes countries – In addition to the five countries above, the following countries are also working together to collect and analyze mass surveillance data: (5 eyes countries), France, Denmark, Netherlands, Norway, Italy, Germany, Belgium, Spain, and Sweden. (Note: Israel should also be included with the 14 countries above. According to many sources, Israel is a close partner with the NSA and other spying regimes.)

Apps for Android and iOS – In general, you should be cautious when downloading any VPN app on your mobile device. A study of Android VPN apps found that 84% will leak your IP address, 82% will attempt to access your sensitive data, 75% utilize third-party tracking, 38% contain malware, and 18% don’t even encrypt your data (leaving you completely exposed). But this is no surprise. Over the years all kinds of apps have proven to be a security and privacy nightmare, for both Android and iOS. If you want to secure your mobile devices (without adding more apps) see here: Android guide and also iOS guide.

Archie VPN – Archie VPN was listed as #6 on the Top 10 most malware-infected Android VPN apps. Different forms of malware identified in the study included: adware, Trojan, malvertising, riskware, and spyware (see here for more info).

Betternet – In reviewing and testing Betternet, I found a number of alarming items, such as Betternet giving third parties access to your data that’s collected through their VPN. An academic research paper listed Betternet as #4 on the Top 10 most malware-infected Android VPN apps. They were also busted for embedding 14 different third-party tracking libraries into their Android VPN app, while promising users “privacy and security”… [Read Betternet Review…]

CM Data Manager – CM Data Manager was identified in an academic paper because its Android VPN app is considered “malicious or intrusive.”

CrossVPN – CrossVPN was listed as #5 on the Top 10 most malware-infected Android VPN apps. Different forms of malware identified in the study included: adware, Trojan, malvertising, riskware, and spyware (see here for more info).

DNSet – DNSet was identified in an academic paper because its Android VPN app is considered “malicious or intrusive.”

Easy VPN – Easy VPN was listed as #2 on the Top 10 most malware-infected Android VPN apps. (Note: the app developer behind Easy VPN was also responsible for “ok VPN” which was the most malware-infested VPN app in the Google Play store – but has since been removed.) Easy VPN incorporates adware on its source code and requests the SYSTEM_ALERT_WINDOW permission to draw window alerts, such as unwanted ads, on top of any other active app. (See here for more info.)

Fake VPNs – With the growing interest in VPNs, there are even fake VPNs services popping up. When I say “fake” what I mean is that there are no servers, no software, and no VPN – instead it’s just someone trying to steal your money while pretending to be a VPN. One example of this was MySafeVPN, which was sending out scam emails and defrauding customers who paid money, expecting there to be an actual VPN service.

Fast Secure Payment – Fast Secure Payment was listed as #10 on the Top 10 most malware-infected Android VPN apps. Different forms of malware identified in the study included: adware, Trojan, malvertising, riskware, and spyware (see here for more info).

Flash Free VPN – Flash Free VPN was caught embedding 11 different third-party tracking libraries into its Android VPN app. This seriously affects the privacy and security of the user. (See here for more info.)

Free VPNs – (This refers to all the free VPNs currently flooding the market.) Free VPN services have proven to be a privacy and security disaster. Free VPNs make money by recording and selling your data, hitting you with ads, and/or redirecting your browser to e-commerce and third-party websites. Many of the most popular free VPNs in the Google and Apple stores are loaded with malware. As the saying goes, “If something is free, then you are the product.” (See the Free VPNs guide for a discussion on the dangers and risks of free VPNs.)

Globus VPN – Globus VPN was identified in an academic paper because its Android VPN app is considered “malicious or intrusive.”

HatVPN – HatVPN was listed as #7 on the Top 10 most malware-infected Android VPN apps. Different forms of malware identified in the study included: adware, Trojan, malvertising, riskware, and spyware (see here for more info).

Hide My Ass – Hide My Ass (HMA) is a based in the United Kingdom – which is a bad location for privacy due to mandatory data retention and mass surveillance. Making matters worse, HMA has a troubling history of turning over customer data to law enforcement agencies around the world.

Hola – Hola is an Israel-based VPN service that has been caught stealing user bandwidth and fraudulently reselling it through their sister company Luminati. Hola users act as endpoints for the entire network. This means other people are using your bandwidth and IP address when you use Hola, and you can be busted for their activities. (Also discussed in the Free VPNs guide.)

Hotspot Shield VPN – Hotspot Shield VPN was directly identified in an academic paper for “actively injecting JavaScript codes using iframes for advertising and tracking purposes” with their Android VPN app. Furthermore, analysis of Hotspot Shield VPN’s source code revealed they “actively use more than 5 different third-party tracking libraries.” They were also exposed for redirecting user traffic to e-commerce domains, such as alibaba.com and eBay.com through partner networks (See study here.). Users also complain about fraudulent activity after purchasing their paid VPN service. Also troubling is their Privacy and Security Policy which includes: third-party data sharing, IP address sharing, tracking, web browsing data collection, and geographical information.

Update: Hotspot Shield has also been in the news recently because their VPN was found to leave users vulnerable to having their location exposed. Hotspot said they are working on a fix. See additional information here.

Ip-shield VPN – Ip-shield VPN was found to be embedding third-party tracking libraries into their Android VPN app. These tracking libraries (such as NativeX and Appflood) are used to hit users with targeted ads, thereby monetizing the “free” app. (See here for more info.)

Ivacy VPN – Ivacy is a Hong Kong VPN provider that has some troubling issues. Their refund policy limits you to 500 MB of bandwidth and 30 sessions. Certain bloggers have also accused Ivacy of falsifying their VPN server locations, meaning that you’re not getting the locations you paid for. Many people believe that Ivacy and PureVPN are under the same company and using the same network infrastructure.

“No Logs” VPNs – There are countless VPNs claiming to be a “no logs” VPN service, and then burying their logging activities in their Privacy Policies. Instead of saying the word “log” they may refer to data that is “kept” or “stored” or “collected” by the VPN provider. Examples of this include Betternet and PureVPN. While connection logs aren’t necessarily bad (see here), lying about logging policies and making contradictory claims is a growing problem.

One Click VPN – One Click VPN was listed as #9 on the Top 10 most malware-infected Android VPN apps. Different forms of malware identified in the study included: adware, Trojan, malvertising, riskware, and spyware (see here for more info).

Opera “Free VPN” – Opera’s browser now includes what it calls a “free VPN” which they say is “better for online privacy” (see here). First, this is not a VPN at all. Security experts have shown that this is just a web proxy, which uses API requests. Second, Opera’s privacy policies include statements about data collection (including usage data) and how this is shared with third parties (see here). If you’re still thinking about using Opera’s “free VPN” – read this first.

PureVPN – My PureVPN review uncovered many problems. My testing identified continuous IPv6 leaks, IPv4 leaks, and DNS leaks with their VPN applications. Even more problematic, all of these leaks were detected with PureVPN’s leak protection “features” enabled, and the VPN client informing me that my “real IP address is hidden.” PureVPN was also caught handing over customer data to the FBI (US authorities) despite claiming to have a “zero log policy”.

Rocket VPN – Rocket VPN was identified in an academic paper because its Android VPN app is considered “malicious or intrusive” and it also tested positive for malware by VirustTotal.

SuperVPN – SuperVPN was listed as #3 on the Top 10 most malware-infected Android VPN apps. Different forms of malware identified in the study included: adware, Trojan, malvertising, riskware, and spyware (see here for more info).

Surfeasy – Surfeasy was found to be embedding third-party tracking libraries into their Android VPN app. These tracking libraries (such as NativeX and Appflood) are used to hit users with targeted ads, thereby monetizing the “free” app. Additionally, the Surfeasy privacy policy explains how they are collecting “usage data” – see here.

Spotflux VPN – Spotflux VPN was identified in an academic paper because its Android VPN app is considered “malicious or intrusive.”

Tigervpns – Tigervpns was identified in an academic paper because its Android VPN app is considered “malicious or intrusive” and it also tested positive for malware by VirustTotal.

VPN Free – VPN Free was identified in an academic paper because its Android VPN app is considered “malicious or intrusive” and it also tested positive for malware by VirustTotal.

VPN Master – There are many free VPNs offered in the Google Play or Apple stores using variations of the “VPN Master” name. Through testing I have found that these VPN Master apps are full of dangerous malware, despite having high ratings and millions of users. I even found that one of these free VPN apps called “VPN Master Free unlimed proxy” (sic) is owned and operated by a Chinese data collection company called TalkingData. [Read More…]

VPNSecure – VPNSecure is based in Australia – a 5 eyes country that is not good for privacy. VPNSecure was also identified in an academic paper for leaking IPv6 and DNS requests, which leaves its users exposed to “surveillance and malicious agents.” The same paper also noted that VPNSecure has a number of egress points in residential ISPs. This suggests that users are unknowingly being used as endpoints in a P2P-like bandwidth network – i.e. user bandwidth is being stolen (although the paper could not confirm this). (See here for more info.)

Wifi Protector VPN – Wifi Protector VPN was directly identified in an academic paper for “actively injecting JavaScript codes using iframes for advertising and tracking purposes” with their Android VPN app.

---

Conclusion

This list illustrates one fact that’s often repeated on this site: using no VPN is better than using a bad VPN.

Even if you didn’t find your VPN on this Warning List, be careful. Many popular and highly-rated VPNs have problems, such as IP leaks and non-working features.

Free VPN services are even more dangerous, because most contain malware, tracking or other privacy problems.

That’s why it’s a good idea to regularly test your VPN to make sure it’s working correctly.

See this VPN testing guide.

Are you tired of reading about bad VPNs? Then check out the best VPN list for some recommendations, which have all passed rigorous testing and are located in good privacy jurisdictions.

Stay safe!

Last Updated: February 12, 2018 (Added update to Hotspot Shield VPN.)