At the time of writing, we’ve reviewed around 50 VPNs. Most of those reviews focus on decent to great services, while a few unfortunately talk about abandoned apps or broken networks. If you search for “vpn” on Google Play or the App Store, though, you’ll find many results that aren’t in our VPN reviews.
We’re aware that those services exist, we just don’t give them the time of day because they’re scams. That may not be apparent to others, though. In this guide to the worst free VPN services, we’re going to provide examples of free VPNs that don’t work, track your information or unload malware onto your device.
Please note that our examples are a small part of a larger whole. The few apps we’ll reference are among the more notorious offenders, but there’s no shortage of apps that do the same things. Our hope is that this guide serves as an example of what to avoid when downloading a VPN.
Why Some VPNs Are Bad
Despite being a simple concept to grasp, VPNs are often misunderstood. You can read our what is a VPN guide for the details, but for the purposes of this guide, all you need to know is that a VPN plays a critical part in your network chain.
When using a VPN, your connection goes to the server you’re connecting to first. That initial connection is encrypted, your personal information in that connection is anonymized and you’re sent out to the internet as if you were in another location. All of that sounds great, but a lot can go wrong.
First, there’s the connection to the VPN server. The purpose of VPNs, at least in this context, is to hide your personal data from your internet service provider, government agencies and network snoopers. The VPN provider can still see your information if it wants to, though. VPNs are just middlemen, so untrustworthy providers can snoop on your traffic and sell your data.
Plus, your connection may use a vulnerable encryption algorithm or, worse, no encryption. Despite marketing themselves as “VPNs,” many companies provide proxy services instead. You can learn about the difference in our VPN vs. proxy vs. Tor guide.
Your connection is passing through a server, too, and there’s no telling how secure that server is. It could be corrupted with malware, so each flowing connection is sneaking malicious packets along with your legitimate ones. If your initial connection is using weak encryption or no encryption, that can come back to you.
Some VPNs are shameless and include malware in the installer. In many cases, phony VPNs try to lock you out of your computer with ransomware or hog system resources as part of a botnet. Even with trustworthy VPNs, it’s a good idea to scan the installer with the best antivirus software to make sure nothing was snuck in during the download.
The important thing to remember is that nothing is ever truly free. If you find a free VPN provider that doesn’t restrict speeds, bandwidth or features, it has something else going on. Though there are bad free VPNs on desktop, mobile users are particularly vulnerable. Make sure to read our best VPN for iPhone and best VPN for Android guides to see our recommendations.
VPNs That Track You
The purpose of VPNs is to protect you from intrusive agencies, such as your ISP and the U.S. National Security Agency. That said, you’re still putting your personal information in the hands of the VPN provider. Our first batch of dishonorable mentions will focus on the VPNs that log your data and sell it for profit.
Believe it or not, Facebook has its own VPN. You heard that right: the controversy-drenched, privacy-unfriendly social media platform decided it was a good idea to start a privacy-focused service (for the skinny on Facebook, read our State of the Cloud). Unsurprisingly, it monitors and logs your traffic to generate market statistics and sell them to marketing companies.
That isn’t just a concern for privacy nuts, either. Apple declared Onavo violated its guidelines on data collection, prompting Facebook to stop rolling out updates for the app in August 2018. The apps have been pulled from Google Play and the App Store, but Onavo’s website remains online. Though not a problem at the time of writing, it may be in the future.
That’s an important distinction. Hotspot Shield tracks mobile users when they open the app, not just after they connect.
Your IP address is collected, too, but Hotspot Shield makes it clear that it’s stored in encrypted form for the duration of the session and deleted afterward. Though that’s a nice thing to say, it seems Hotspot Shield has missed the point. Using a VPN is about keeping that data out of anyone’s hands, no matter how it is handled.
Thankfully, there hasn’t been a Minority Report scenario in the U.S., but U.S. citizens are still concerned with the NSA logging their information. Just because Hotspot Shield says it’ll handle your data responsibly that doesn’t mean it should be allowed to track it. That’s ignoring the fact that Hotspot Shield says it “may collect IP addresses for marketing attribution purposes.”
We’re not sure if Hotspot Shield is malicious or just incompetent, but you shouldn’t use it. You can read about our experience with the service in our Hotspot Shield review.
Touch VPN is one of many “free” VPNs available in the Chrome and Google Play stores. It’s one of the most popular, too, with around 500,000 reviews on Google Play. What’s strange is that most of those reviews are positive. It has around four and half stars, and the top review gives insight into why it’s rated so highly.
The review says, “I have rated it once, but it tells me now and then to rate it as if it is my first time.” We dug around and found that Touch VPN is owned by NorthGhost, but when we tried to go to northghost.com, we were met with an empty Wix website (read our Wix review). Plus, we found the subdomain backend.northghost.com has malicious files communicating with it.
Touch VPN is only available as a free app, with in-app purchases and ads pestering you to upgrade. Like many of the free VPNs plaguing the Google Play store, Touch VPN is simply a data-gathering engine. Avoid it.
VPNs Infected with Malware
Though it’s difficult to find a VPN on desktop that’s infected with malware, the number of malicious VPNs in the Google Play store is staggering. That’s backed by research on the privacy and security risks of Android VPNS completed by Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar and Vern Paxson in 2016.
Hola VPN isn’t transferring malicious files to your device, but it’s wrapped up in cybercrime, which is particularly concerning because it boasts that it has 184 million users worldwide.
That’s not what’s most concerning, though. In the terms of service, Hola says that “in return for free usage of Hola Free VPN Proxy, Hola Fake GPS Location and Hola Video Accelerator, you may be a peer on the Luminati network.” Luminati is owned by the same people who own Hola and allows users to purchase proxy IPs for a monthly fee.
If you’ve been following along, that means Luminati is purchasing access to your device. A hacker attacking a website called 8chan used the IP addresses in the Luminati network to create a botnet, which, in short, is a slave network of computers that the owner can do whatever they want with.
By using Hola VPN, you’re consenting to being a slave computer in a botnet. That means anyone can purchase access to your device if they can afford the 50 cents or so it costs to rent an IP address. You can read our write up on Hola VPN for the details. Just know that this is consumer manipulation at its finest and reeks of ill intent.
One look at Archie VPN should tip you off that something isn’t right. The app screams “scam,” and the few unfortunate souls who’ve downloaded it for their Android device most likely don’t know how dangerous it is. It’s less of a concern because it hasn’t been updated in over a year, but you can still find Archie VPN on the Google Play store, so be careful.
It’s a free service that’s littered with malware. The study linked above used multiple antiviruses to scan the application. Of the 100 or so scanning systems tested, 10 of them returned malware for Archie VPN. Though that number seems low, VirusTotal, the service used for testing, says any software that has been identified by two or more scanning systems is considered malicious.
Plus, the study linked above only included software that exceeded five malicious results. Of all the VPN apps analyzed, 38 percent of them had at least one positive malware result, while only 4 percent exceeded five. It’s one thing to have a false positive here and there, but any consistency shows that malware is present.
The total number of installs for Archie VPN isn’t high. There are around 10,000 users. That said, the app is still available to download, so if you’re unfortunate enough to stumble upon it, make sure to keep scrolling.
If you search for “vpn” on the Google Play store, SuperVPN is one of the first results that pop up. Unlike with Archie VPN, you’d be forgiven for thinking it’s a legitimate app. The interface is clean, there aren’t too many settings and, despite displaying ads, the app is free. Unfortunately, it’s even more infected than Archie VPN.
The study linked above found that 13 of the 100 antivirus apps tested detected that it had malware. If a few apps detect that a software has malware, it isn’t a big deal, but each additional system that detects malware indicates it’s less safe.
Because of that, the difference between 10 and 13 can’t be understated. Each additional antivirus system that detects malware show that the app is exponentially more dangerous.
VPNs That Don’t Work
Last but not least, there are VPNs that simply don’t work. There are a surprising number of websites where you can still purchase a VPN subscription. Providers in this class aren’t free, but they’re still VPN scams, so steer clear.
We last tried VikingVPN in January 2019. Prior to that, the details we were provided to log in didn’t work with the client. We were unable to receive a get from support after numerous emails, too. Unfortunately, testing it many moons later didn’t help. VikingVPN is still the same busted service it was.
You can read our VikingVPN review, or rather, public service announcement, for the details, but the short of it is that the founder of the service left and his replacement has let the dust build up. We’re inclined to believe that’s simply an act of negligence, but there’s a possibility the new owner leaves the website active to score $15 here and there. Avoid VikingVPN at all costs.
UnoTelly looks good on the surface. It looks too good, in fact. There’s a lot to the VPN service, but it focused so much on creating an attractive package that it forgot to include a VPN. We were able to sign up for an account — after multiple attempts, mind you — but we were never able to try the service.
Our journey is documented in our UnoTelly review. After multiple attempts and many unanswered messages, we’re left believing there simply isn’t a client. No matter where we went on the website, we were met with the same error message over and over again.
Despite a somewhat dated website, EarthVPN looks like a decent provider. It supports all standard VPN protocols, comes with access to 190 physical locations and is cheap at only $40 a year. The problem is that the service has been abandoned for quite some time.
You wouldn’t know that from browsing the website, though. The checkout page still works, and it’ll still take your money. Unless you reach out to support and get no response, you’d never know that this website is just a shell for a company that doesn’t exist.
Dishonorable Mention: cryptostorm
cryptostorm isn’t a bad VPN service. In fact, we gave it decent marks in our cryptostorm review. Unfortunately, though, it’s probably being monitored by the FBI. The backstory is long, convoluted and not entirely verifiable, but there have been continual connections between cryptostorm and Douglas Spink.
We haven’t found official documents that tie Spink to cryptostorm, so our claims are speculation. That said, he is a drug runner and bestiality enthusiast who has been picked up by the FBI on more than one occasion. The general idea is that he made a deal to grant the FBI access to the cryptostorm service to lessen or remove charges.
Once again, that’s all speculation, but you should do yourself a favor and avoid cryptostorm anyway. It’s not a great service to begin with, and the mere possibility that it could be tied to Spink takes it out of the question. It’s not a free service, which is why it’s in our dishonorable mention section, but we wanted to make a note of it.
Why You Should Pay for a VPN
In most cases, you shouldn’t use a free VPN. We were grasping at straws to find even five options for our best free VPN guide. Anything that’s good isn’t free, and that’s especially true with VPN services. While we showcased a few dishonorable mentions above, there are many more malicious VPN services lurking around.
VPNs need money to maintain themselves, add server locations, upgrade infrastructure, pay support agents and fix issues with their clients. The money has to come from somewhere, so if a VPN service is offering a “complete” service for free, that usually means you’re being tracked or infected.
You don’t have to spend a lot to get a VPN, either. Though our favorite VPN, ExpressVPN, is expensive, there are cheaper options. You should still read our ExpressVPN review to see why it’s worth the price, though.
Two inexpensive options are CyberGhost and Private Internet Access. CyberGhost has an expensive monthly rate, but the multi-year plans bring the price to below a couple of dollars a month. It has an impressive list of features, too, including dedicated streaming servers, built-in automation and a collapsible interface. You can learn more about it in our CyberGhost review.
PIA isn’t as robust, but it’s much cheaper. At around the half the price of top-shelf providers, it’s the best value on the VPN market. It has issues with usability, which you can read about in our PIA review, but it’s not bad for the price.
If you’re hard up for money, though, there’s Windscribe. It’s the only free VPN we recommend. You’re limited to 10GB of data transfer per month, which isn’t much, but you can purchase more server locations or unlimited data for $1 per month. You can learn more about the pricing structure in our Windscribe review.
In short, anything good is worth paying for, and that’s true for VPN services, too. If you’re serious about protecting your privacy, torrenting securely and streaming in peace, then it’s worth the small price of a paid VPN subscription.
There’s little reason not to pay for a VPN. For your online security and privacy, VPNs are worth the small asking price, not to mention the utility they serve as tools to unlock streaming platforms and protect you while torrenting.
As mentioned above, PIA and CyberGhost are two budget options that deliver excellent services. They aren’t the only ones, though. If you’re looking for a VPN service that won’t log your activity or unload malware onto your device, read our best VPN guide.
Have you fallen victim to a VPN scam? Let us know in the comments below and, as always, thanks for reading.