Google blocked 1.75 million malicious apps from the Play Store in 2025. A significant portion were utilities and VPN applications. Play Protect scanned 350 billion apps daily and flagged 27 million malicious installs from sources outside the official store. Eighty thousand developer accounts were permanently banned. These are Google's own numbers, published in February 2026. And they describe a system that is working hard to contain a problem it structurally cannot solve.
The problem isn't that bad actors slip through the review process. The problem is that the free VPN business model itself incentivizes data collection. A VPN service costs money to operate: servers, bandwidth, engineering, legal compliance. When the user pays nothing, the revenue comes from somewhere else. In most cases, it comes from the user's data. Gizmodo ran a detailed evaluation of which free VPN services actually hold up under scrutiny, separating the handful of legitimate free tiers (Proton VPN, Windscribe) from the hundreds of apps that exist primarily to harvest traffic. The distinction matters more in 2026 than it ever has.
A Top10VPN investigation of 100 free Android VPN apps, published in 2024 and still the most granular public audit available, found that almost 90% leaked some form of user data. Seventeen of those apps leaked more than DNS request information. Over a third used encryption weaker than the current standard. Nearly 70% requested permissions that have no legitimate VPN use case, including location tracking (20%) and scanning installed apps (46%).
The data pipelines are specific and documented. Half the audited apps contained functions in their source code that sent data directly to third parties, including ByteDance and Yandex. These aren't obscure intermediaries. ByteDance operates TikTok. Yandex is Russia's dominant search engine and advertising platform. The SDKs embedded in these VPN apps collect device identifiers, browsing patterns, installed app lists, and in some cases GPS coordinates. All of this packaged and sold to ad networks and data brokers.
I think the framing matters here. These apps aren't "leaking" data through negligence. They're collecting it by design. The SDK integration is intentional. The permissions are deliberate. The architecture is built to extract value from the user because the user isn't paying in money.
Zimperium's 2025 analysis of free VPN apps across Android and iOS found something more troubling than data collection. On Android, dozens of VPN apps requested `AUTHENTICATE_ACCOUNTS` (the ability to add, remove, or alter device accounts and hijack authentication tokens for banking apps) and `READ_LOGS` (system-wide log access enabling keylogging across all installed apps). On iOS, over 6% of audited VPN clients sought persistent GPS tracking permissions and deep OS access far beyond anything a tunnel application needs.
Some apps exported activities and content providers without proper permission checks, allowing external applications to query VPN logs, inject malicious configuration profiles, or silently launch phishing interfaces. Zimperium documented cases where exported components could disable encryption on demand, rerouting traffic through attacker-controlled servers.
Google's response has been reactive. The "Free Unlimited VPN" Chrome extension was removed in May 2025 after years of data theft. By July 2025, a new version was back on the Chrome Web Store. LayerX Security reported in November 2025 that the rebuilt extension was "notably more advanced and evasive than the old one." The game of whack-a-mole continues because the economics haven't changed.
Not every free VPN is a data harvesting operation. Proton VPN's free tier operates under Swiss jurisdiction, carries no ads, imposes no data caps, and is funded by the revenue from paid subscribers. Proton has undergone multiple independent audits. Windscribe offers a free tier with 10GB monthly and a transparent privacy policy. These are loss leaders, not products. They exist to convert free users into paying customers.
The difference is measurable. Proton VPN's free tier uses the same WireGuard-based infrastructure as its paid plans. It doesn't inject SDKs, doesn't request location permissions, and doesn't monetize traffic data. A random free VPN from the Play Store top charts does all of those things, and more.
In Q3 2024, Kaspersky reported that the number of users encountering fake VPN apps jumped 2.5 times compared to Q2. The 911 S5 botnet, dismantled in May 2024, had turned millions of devices running free VPN apps into a proxy network for fraud, money laundering, and cyberattacks. The devices' owners had no idea their phones were participating.
Running a VPN server in a major market costs between $50 and $200 per month depending on bandwidth and location. A free app with 10 million users connecting to 50 servers generates operating costs that can easily exceed $100,000 monthly. That money has to come from somewhere.
The most common revenue sources for free VPN apps: advertising SDKs (present in nearly half the apps audited by Top10VPN), data brokerage (selling browsing metadata and device fingerprints), residential proxy networks (routing third-party traffic through users' devices, as the 911 S5 botnet demonstrated), and credential harvesting (intercepting login tokens via permission abuse).
I think the cybersecurity industry needs to stop treating malicious free VPN apps as a consumer education problem. The economic incentive is structural. As long as operating a VPN costs money and users expect the service for free, the gap will be filled by data extraction. Google can remove 1.75 million apps per year and the supply will replenish, because the unit economics work for the operators and the cost is externalized onto the users.
The few free tiers worth using exist because a profitable paid product subsidizes them. Everything else is a transaction where the currency is your data, your device resources, or both. The only question is whether you know which side of that transaction you're on.