CSIRO has published a report revealing many VPN apps are not as secure as they make out to be.

Experts looked at 283 Android VPN apps and assessed a wide range of security and privacy features.

The report found that 18 per cent of the apps failed to encrypt users’ traffic, while 38 per cent injected malware or malvertising.

Alarmingly, the report found that over 80 per cent of apps accessed sensitive data including user account information and text messages.

While most of the apps appeared to offer some form of online anonymity, many others deliberately collected personal user information that could be sold on to external partners.

Users appear unaware, with less than 1 per cent of users having any security or privacy concerns about the apps.

CSIRO Senior Principal Researcher in Online Privacy and Security, Dali Kaafar, says he has shared the findings with developers of the apps with security shortcomings.

“Several of them [app developers] took actions to fix the identified vulnerabilities.  Some apps were even removed from the Google Play Store,” Kaafar said.

He said VPN users should shop around, comparing functionality and app reviews before signing up to a particular VPN app.

“Always pay attention to the permissions requested by apps that you download. This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services,” Kaafar said.

The full report is accessible here.