A recent Buzzfeed investigation discovered that several popular VPN and adblocking apps for Android and iOS secretly collected user data and sent it to Sensor Tower, a cross-platform data analytics service for app developers. The snooping apps include:
Adblock Focus (Android and iOS)
Free and Unlimited VPN (Android)
Luna VPN (Android and iOS)
Mobile Data (Android)
The apps were able to track user data by gaining root access to the device’s file and folders—something that both Apple and Google do not allow apps to do normally, but the developers used a simple loophole to get around the restriction.
Many of the apps used misleading notifications promising extra features—like Luna VPN offering free YouTube ad blocking—if users downloaded additional files from a third-party website after the app was installed. These “extra features” would then ask for additional permission, including root access, in order to function.
Both Apple and Google have banned the offending apps from their respective stores and are investigating the development companies behind them in response to Buzzfeed’s findings. Users should uninstall the apps listed above, especially if you sideloaded any of them from third-party sources rather than the App Store or Google Play. None of these apps have disclosed their data tracking behaviour, nor their connections to Sensor Tower. And they weren’t Sensor Tower’s only apps, just the ones most recently available on each platform. If you have other VPN or adblocking apps installed, and you’re not sure who made them, run a quick web search to see if Sensor Tower was the developer. If so, delete the apps.
This is also yet another reminder to pay attention to app permissions, especially root access permission. Unless you’re absolutely certain that what you’re installing is safe and you need to grant an app root access for a specific reason, don’t do it. Doing so gives the app direct access to basically everything on your phone—all your files, folders, and apps—and full access to do whatever it wants.
And even if an app is asking for “normal” permissions, they may not be necessary. A VPN doesn’t need access to your contacts or your camera, and an ad-blocker doesn’t need access to your file folders. Pay attention to and scrutinise the permissions an app asks for. If any of them seem unnecessary or suspicious, deny the request and uninstall it.