A research paper that investigated the privacy and security of 283 Android VPN apps concluded that “in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps—millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps.”
Following is a non-exhaustive list, taken from the research paper, of some proprietary VPN apps that track users and infringe their privacy:
SurfEasy
sFly Network Booster
DroidVPN and TigerVPN
HideMyAss
VPN Services HotspotShield
WiFi Protector VPN
SurfEasy
Includes tracking libraries such as NativeX and Appflood, meant to track users and show them targeted ads.sFly Network Booster
Requests the READ_SMS and SEND_SMS permissions upon installation, meaning it has full access to users’ text messages.DroidVPN and TigerVPN
Requests the READ_LOGS permission to read logs for other apps and also core system logs. TigerVPN developers have confirmed this.HideMyAss
Sends traffic to LinkedIn. Also, it stores detailed logs and may turn them over to the UK government if requested.VPN Services HotspotShield
Injects JavaScript code into the HTML pages returned to the users. The stated purpose of the JS injection is to display ads. Uses roughly five tracking libraries. Also, it redirects the user’s traffic through valueclick.com (an advertising website).WiFi Protector VPN
Injects JavaScript code into HTML pages, and also uses roughly five tracking libraries. Developers of this app have confirmed that the non-premium version of the app does JavaScript injection for tracking the user and displaying ads.
Of VPN that Track Users and Infringe their Privacy
