ANDROID fans have been put on alert and delivered a shock warning about a number of popular apps on the Google Play Store.

Android users are being warned about “dangerous” permissions that popular Google Play Store apps are asking for.

Android is one of the most used pieces of software in the world, with the Google mobile OS running on over two billion devices each and every month.

The huge Android userbase has been subject to some high-profile security scares, with the Judy malware arguably the biggest in recent times.

This was feared to have left over 36million Android devices infected by dozens of apps found on the Google Play Store.

And now Android fans are once again being put on alert about a shock security issue they need to be aware of.

VPNs are big business, offering a service that gives those on public networks extra privacy and security.

But experts have claimed that over half of VPN apps for Android ask users for “dangerous” permissions.

Out of 81 apps downloaded from the Google Play Store, 62 per cent required dangerous permissions from Android users according to research.

Android

Android warning – ‘Dangerous’ Google Play Store apps used by millions, are you affected? (Image: GOOGLE • GETTY)

A dangerous permission “could potentially affect user’s privacy or the device’s normal operation” and “the user must explicitly agree to grant those permissions”.

The study was conducted by The Best VPN and revealed in a post online.

Android apps that asked for “dangerous” permissions included those downloaded millions of times from the Google Play Store.

Outlining the research from The Best VPN, John Mason wrote: “Many of the VPN apps reviewed in this study ask for permissions that are not needed for a VPN to function.

Malware from Google Play apps found in Android phones

“Some permissions are fairly harmless. Like the ability to cause the phone to vibrate or push app notifications.

“However others are more suspicious. While these permissions can be used for benign purposes, they also have the ability to compromise the user’s privacy.”

The study advised: “When selecting and installing a VPN app on Android, paying attention to permissions is important.

“Read the description and think about whether the app really needs the ability to record you in order to provide a VPN service.

Android

Android users have been put on alert about popular Google Play Store apps used by millions (Image: GETTY)

“Some of the apps from the biggest companies turned out to be the most suspicious in this study, so you can’t just trust the big names.”

A number of the apps that The Best VPN said were asking for “dangerous” permissions have been downloaded millions of times from the Google Play Store.

Click here to be directed to The Best VPN website to read the full list of apps allegedly asking for such permissions (see below).

https://www.express.co.uk/life-style/science-technology/1100764/Android-update-warning-Google-Play-Store-apps-VPN

The purpose of a permission is to protect the privacy of an Android user.

According to Android documentation for app developers, permissions fall into two groups – normal and dangerous.

  • Normal permissions – Don’t pose risk to the user’s privacy and are granted automatically by the system to the app.
  • Dangerous permissions – Could potentially affect user’s privacy or the device’s normal operation, the user must explicitly agree to grant those permissions.

As a VPN user, you want your VPN to not ask any kind of dangerous permissions that are not needed for the VPN app to function or which can compromise your privacy.

In this study, 81 Android VPN apps were evaluated based upon the permissions that they request.

Our goal was to find out the most commonly used permissions by the VPN apps as well as the questionable and more suspicious permissions that are either not needed for the VPN app to work or are violating the user’s privacy or security.

All of the tested apps were downloaded from the Google Play store and the permissions lists were extracted directly from the app’s .apk file. Here’s a more detailed Google spreadsheet with all the permissions from the tested Android VPN apps.

Most Commonly Asked Permissions By VPNs

Android has a variety of different permissions for different purposes. Depending on what an app wants to do and how it does it, it may need a different set of permissions. Table 1 shows the most common permissions requested by the VPN apps in this study.

Table 1. Most commonly requested permissions for Android VPN apps.

  • Green: Normal – permissions granted automatically by the Android system.
  • Red: Dangerous – permissions that compromise user’s privacy or system (user must agree).
PermissionCount
android.permission.INTERNETAllows VPN applications to open network sockets.81
android.permission.ACCESS_NETWORK_STATEAllows VPN applications to access information about networks.79
android.permission.WAKE_LOCKFor keeping device awake.58
android.permission.RECEIVE_BOOT_COMPLETEDTo notify if device restart is completed.55
android.permission.ACCESS_WIFI_STATEAllows VPN applications to access information about Wi-Fi networks.54
com.android.vending.BILLINGFor in-app billing purposes.50
com.google.android.c2dm.permission.RECEIVEPush notifications.49
com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICEGives the VPN developers information on how the users arrived to the app before installing.32
android.permission.WRITE_EXTERNAL_STORAGEAllows VPN to write to external storage, such as SD.27
android.permission.READ_EXTERNAL_STORAGEAllows VPN to read from external storage, such as SD.27
android.permission.FOREGROUND_SERVICEFor keeping the VPN application running.20
android.permission.READ_PHONE_STATEAllows read only access to phone state, including the phone number of the device, current cellular network information and the status of any ongoing calls.18
android.permission.ACCESS_COARSE_LOCATIONAllows the API to use WiFi or mobile cell data (or both) to determine the device’s location.16
android.permission.CHANGE_WIFI_STATEAllows VPN applications to change Wi-Fi connectivity state.16
android.permission.ACCESS_FINE_LOCATIONAllows VPN app to access users precise location.9

Many of the permissions above are needed for a VPN to function, these include getting access to Internet, checking your connection status and keeping your app awake. These are completely normal and shouldn’t cause any worry. They are listed as “normal” by the Android developers.

Some permissions, such as android.permission.INTERNET and android.permission.ACCESS_NETWORK_STATE was granted to all of the VPN apps automatically.

However, in this list, there were also “dangerous” permissions that could potentially compromise Android user privacy, these were related to getting access to your precise location, device name, your phone number and reading your SD card.

A Look Into “Dangerous” Permissions

Once we had identified all the permissions of each 81 VPNs (including the common ones), we filtered out permissions that were not needed for a VPN app to function and can potentially harm the user’s privacy.

Many of the VPN apps reviewed in this study ask for permissions that are not needed for a VPN to function.

Some permissions are fairly harmless. Like the ability to cause the phone to vibrate or push app notifications.

However others are more suspicious. While these permissions can be used for benign purposes (i.e. requesting access to coare location is a way to get the name of a WiFi network for handling reconnections), they also have the ability to compromise the user’s privacy.

Others have no legitimate purpose in a VPN app, like WRITE_SETTINGS which allows VPN app to write the system settings or READ_LOGS, which allows VPN app to read the low-level system log files.

Table 2. Apps with most suspicious/dangerous permissions

VPN Name# of dangerous permissionExact permission name
Yoga VPNGoogle Play link6android.permission.ACCESS_FINE_LOCATION
android.permission.READ_PHONE_STATE
android.permission.WRITE_SETTINGS
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
proXPN VPNGoogle Play link5android.permission.ACCESS_FINE_LOCATION
android.permission.READ_PHONE_STATE
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
Hola Free VPNGoogle Play link4android.permission.READ_PHONE_STATE
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
Seed4.Me VPNGoogle Play link4android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
OvpnSpiderGoogle Play link4android.permission.ACCESS_FINE_LOCATION
android.permission.READ_LOGS
android.permission.ACCESS_COARSE_LOCATION
android.permission.WRITE_EXTERNAL_STORAGE
SwitchVPNGoogle Play link4android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
Zoog VPNGoogle Play link4android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_COARSE_LOCATION
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE

Most concerning permissions were used by the Yoga VPN app (5+ million installs on Google Play) and oVPNSpider that asked permissions to read and write system settings, get access to your phone state and your exact location with ability to read and write to SD which are not required for a VPN app to work.

Another notable permission used by oVPNSpider and tigerVPN is the READ_LOGS permission. This permission is no longer available to third-party apps (like VPNs) due to privacy concerns, and the app should not be requesting it at all.

Below are explanations of suspicious permissions asked by Android VPN apps:

1. WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE

Allows VPN to read and write to external storage – not needed for a VPN app to function and couldcompromise user’s privacy.

  • Permission: android.permission.WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE
  • Used by the following 27 VPN appsBetternet, Free VPN org, OneVPN, X-VPN, StarVPN, VPN One Click, Yoga VPN, AppVPN, ProXPN, Seed4me VPN, oVPNSpider, Goose VPN, SpyOFF, TouchVPN, SwitchVPN, Trust Zone, McAfee VPN, SurfEasy, Psiphon, TigerVPN, Dash VPN, Hotspot Shield, NordVPN, Hola VPN, SurfShark, VPN Secure, Zoog VPN.
2. READ_PHONE_STATE

Allows VPN read only access to phone state, including the phone number of the device, current cellular network information and the status of any ongoing calls – not needed for a VPN to work.

  • Permission: android.permission.READ_PHONE_STATE
  • Used by the following Android 18 VPN appsAvira VPN, Free VPN org, Norton Secure VPN, VPN One Click, Yoga VPN, HideMyAss, AVG VPN, ProXPN, Goose VPN, Touch VPN, McAfee VPN, SurfEasy, Kaspersky VPN, Speedify, Dash VPN, Hotspot Shield, ibVPN, Hola VPN.
3. ACCESS_COARSE_LOCATION

Allows VPN to use WiFi or mobile cell data (or both) to determine the device’s location – potential privacy risk.

  • Permission: android.permission.ACCESS_COARSE_LOCATION
  • Used by the following 16 VPN appsWindScribe, Free VPN org, Yoga VPN, HideMyAss, Avast VPN, AVG VPN, iVPN, ProXPN, oVPNSpider, TouchVPN, SwitchVPN, Kaspersky VPN, Psiphon VPN, Speedify, Dash VPN, Zoog VPN .
4. ACCESS_FINE_LOCATION

Allows a VPN app to access user’s precise location – high privacy risk. 

5. WRITE_SETTINGS

Allows VPN app to to read or write the system settings – high security and privacy risk.

6. READ_LOGS

Allows VPN app to read the low-level system log files. Not for use by third-party applications, because Log entries can contain the user’s private information – high privacy risk.

7. MANAGE_DOCUMENTS

Allows VPN application to manage access to documents, usually as part of a document picker. This permission should only be requested by the platform document management app. This permission cannot be granted to third-party apps.

8. DUMP

Allows an application to retrieve state dump information from system services. Not for use by third-party applications.

The Results

In the last table, we are listing out all the VPNs we tested and their permissions in total, custom permissions and suspicious permissions.

Table 3. VPN apps ranked by requested permissions

VPN name.apk file nameSuspicious PermissionsTotal PermissionsCustom Permissions
Yoga VPNcom.yogavpn6132
ProXPNcom.proxpn.proxpn5165
Dash VPNcom.actmobile.dashvpn5142
Seed 4 Meme.seed4.app.android4174
oVPNSpidercom.ovpnspider480
SwitchVPNcom.switchvpn.ovpn4123
Holaorg.hola4151
Zoog VPNcom.zoogvpn.android4132
Free VPN orgorg.freevpn3122
VPN One Clickcom.vpnoneclick.android370
Goose VPNcom.goosevpn.gooseandroid3113
TouchVPNcom.northghost.touchvpn3143
SurfEasycom.surfeasy3143
Psiphon VPNcom.psiphon3.subscription3110
Speedifycom.speedify.speedifyandroid3121
TigerVPNcom.tigeratwork.tigervpn391
Hotspot Shield VPNhotspotshield.android.vpn3163
ibVPNcom.ibvpn.client380
Betternetcom.freevpnintouch2164
OneVPNcom.dave.onevpnfresh292
Windscribecom.windscribe.vpn2142
X-VPNcom.security.xvpn.z35kb2132
Star VPNcom.peach.vpn2102
HideMyAsscom.hidemyass.hidemyassprovpn2196
Avg VPNcom.avg.android.vpn2196
SpyOFFcom.spyoff.client.android250
PureVPNcom.gaditek.purevpnics2216
Trust Zonezone.trust.vpn250
Mcafee Safe Connectcom.mcafee.safeconnect.android2102
Kaspersky VPNcom.kaspersky.secure.connection2174
SurfSharkcom.surfshark.vpnclient.android2144
VPN Securecom.vpnsecure.pty.ltd291
Ivacycom.ivacy1112
Avira Phantom VPNcom.avira.vpn.AviraVPNApplication1131
Norton Secure VPNcom.symantec.securewifi1133
Thunder VPNcom.fast.free.unblock.thunder.vpn193
AppVPNappvpn.vpn182
Avast VPNcom.avast.android.vpn1197
VPN In Touchcom.vpnintouch.android192
iVPNnet.ivpn.client160
VPN Unlimitedcom.simplexsolutionsinc.vpn_unlimited1174
OpenVPNde.blinkt.openvpn150
Hide My IPcom.hidemyip.hideme1101
PrivateVPNcom.pvpn.privatevpn170
VPN Areacom.vpnarea150
AirVPNorg.airvpn.eddie140
Anonymous VPNcom.aprovpn.openvpn140
NordVPNcom.nordvpn.android1144
Private Internet Accesscom.privateinternetaccess.android150
VPN acac.vpn.androidapp151
StrongVPNcom.strongvpn050
Hoxx VPNcom.hoxxvpn.main030
TurboVPNfree.vpn.unblock.proxy.turbovpn072
VPN Masterfree.vpn.unblock.proxy.vpn.master.pro072
Disconnect Mecom.disconnect.samsungcontentblocker031
HexaTechtech.hexa0124
CyberGhostde.mobileconcepts.cyberghost0114
AstrillVPNcom.astrill.astrillvpn020
Torguardnet.torguard.openvpn.client060
UltraSurfus.ultrasurf.mobile.ultrasurf010
ProtonVPNcom.protonvpn.android050
VPN 360co.infinitysoft.vpn360062
F-Secure VPNcom.fsecure.freedome.vpn.security.privacy.android0102
IPVanishcom.ixolit.ipvanish050
Browsec VPNcom.browsec.vpn082
Cactus VPNcactusvpn.app082
Private Tunnelnet.openvpn.privatetunnel060
Buffered VPNcom.buffered.vpn040
LiquidVPNcom.liquidvpn.liquidvpn030
BlackVPNcom.blackvpn072
Hotspot VPNcom.hotspotvpn.android050
DotVPNcom.dotvpn.vpn050
ZenMatecom.zenmate.android0124
Encrypt Mecom.stackpath.cloak0103
ExpressVPNcom.expressvpn.vpn0102
SaferVPNcom.safervpn.android082
FastestVPNcom.vpn.fastestvpnservice062
VPNHubcom.appatomic.vpnhub093
VPN Tunnelcom.oneonone.vpntunnel.android082
VyprVPNcom.goldenfrog.vyprvpn.app082

Link to spreadsheet of all the permissions asked by the VPNs.

In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough.

However, as an average, 11 permissions are asked per VPN app.

Android provides a wide variety of possible permission for applications to take advantage of. However, there is also the potential for apps to define their own permissions as well. In many cases, these permissions are benign, like allowing an app to talk to the maker’s cloud systems (a commonly requested one for these apps).

Higher up the table are VPN apps that have the most dangerous permissions that could affect user’s privacy. Especially Yoga VPN, ProxPN and TigerVPN

However, the use of a large number of dangerous permissions could be cause for suspicion.

When selecting and installing a VPN app on Android, paying attention to permissions is important. Read the description and think about whether the app really needs the ability to record you in order to provide a VPN service. Some of the apps from the biggest companies turned out to be the most suspicious in this study, so you can’t just trust the big names.

https://thebestvpn.com/android-vpn-permissions/