The latest warning for iPhone and Android users should see millions of apps deleted from phones and millions more not installed in the first place. The nature of this warning isn’t new—but this time it comes directly from the U.S. government. Hopefully this means users will take it more seriously this time.
While the security vulnerabilities with SMS and RCS texting have taken center stage in this month’s FBI and CISA warnings, the agencies have also told users to make sure they keep the firmware on their phones updates at all times and to make use of safe browsing, DNS masking and password managers when available.
The final warning hasn’t yet generated headlines, but it’s just as much of a security vulnerability as open texting across cellular networks. “Do not use a personal virtual private network,” the U.S. government’s cyber defense agency warns. “Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface.”
This is not news. Time and again, cybersecurity experts have warned the same. Last month, Kaspersky warned that the number of dangerous free VPNs installs is now soaring, “increasing by 2.5 times compared to Q2 globally. These apps were malware or programs that could be potentially used by malicious actors. This surge,” Kaspersky warns, “has continued into Q4.”
And in June, specialist websites Top10VPN just tested the “100 most popular free Android VPN apps in the Google Play Store… with 2.5 billon worldwide installs between them,” and found the following issues:
- More than 10% of the apps “suffered encryption failures.”
- Almost 90% of the apps “suffered some kind of leak.”
- Almost 70% of the apps “requested at least one privacy-risking permission.
- Almost one in three of the apps abused permission requests
- Almost three-quarters of the apps “shared personal data with third parties.”
- Almost 20% of the apps were flagged as malware by anti-virus scanners.
As CISA itself says, “many free and commercial VPN providers have questionable security and privacy policies.” While their advice is to avoids such apps unless “your organization requires a VPN client to access its data,” I would not go that far.
VPNs are fine to use, and critical in certain situations, such as using public Wi-Fi in completely open or untrusted environments, especially overseas, or when you want to mask your location from the sites you’re visiting or anyone monitoring web traffic.
It’s only through the use of VPNs that users behind digital curtains in places like Russia, China and Iran can access overseas websites and comms platforms. This is why Apple removing VPNs from its Russian App Store triggered such headlines.
I’ll repeat my golden rules for VPN usage here and strongly suggest you follow them:
- Only install VPNs from Play Store or App Store
- Only use paid VPNs on an open subscription for a sensible amount, never with obfuscated in-app purchases
- Only use VPNs from well-known developers that you can easily research and find on mainstream websites, and never from any based in China
- Always ensure Play Protect is enabled if you’re using Android, and never disable or pause Play Protect to install a VPN it flags as risky
- When Android 15’s new live threat detection flags an app, take action.
“There is a growing demand for VPN apps,” Kaspersky says. “Users tend to believe that if they find a VPN app in an official store, like Google Play, it is safe and can be used to get content that is originally unavailable at their location. And they think it is even better if this VPN service is free! However, this often ends up being a trap, as recent cases and statistics showing a surge in malicious VPN app encounters prove.”
Now the U.S. government has added its own warning, let’s hope users are finally encouraged away from such risks. These free or low-rent apps often have huge numbers of installs. That must now stop.
