Free VPNs That Turn Your Device Into a Proxy Exit Node
In January 2026, Google's Threat Intelligence Group dismantled IPIDEA, a residential proxy network that had enrolled 9 million Android devices into a botnet through seemingly normal apps. Free VPN utilities, casual games, and flashlight tools all functioned as advertised on the surface. Underneath, embedded SDKs turned every phone into a proxy exit node, routing traffic from over 550 threat groups through real people's home IP addresses.
This was not an isolated incident. The same pattern has repeated across the industry for over a decade, and the list of offenders keeps growing.
The Known Offenders
Hola VPN was the first major exposure in 2015. The service operates a peer-to-peer model where free users contribute their bandwidth and IP addresses to the network. Hola sold access to this network through its commercial arm, Luminati (now Bright Data). Security researchers discovered that Hola could be exploited to execute arbitrary programs on users' devices. The Chrome extension was removed from the Chrome Web Store in 2021 after being flagged as potentially dangerous. As of 2026, the free tier still requires users to contribute bandwidth to the P2P network, using approximately 100 MB of upload data per day according to Hola's own FAQ.
Betternet has been documented embedding 14 third-party tracking libraries in its app, more than any other free VPN tested in the CSIRO research study on free VPN applications. The service collects GPS location data, device identifiers, and browsing history. Advertisers receive direct access to track and log user data through the app.
SuperVPN has been flagged by multiple cybersecurity firms for distributing malware. Testing has detected potentially unwanted programs bundled with the installation, including adware and data exfiltration capabilities sending information to servers outside the user's country.
Urban VPN was exposed in 2025 for intercepting AI chatbot prompts from users and selling conversational data to advertising firms. The service also logs browsing data extensively and has been documented leaking IP addresses during operation.
PROXYLIB infected 28 Google Play apps in 2023, turning installed devices into residential proxy exit nodes without disclosure. The SDK operated silently in the background, registering each device's IP and bandwidth with command-and-control servers.
These are not edge cases. Research has consistently found that the majority of free VPN apps on Android embed tracking libraries, with a significant share containing malware or proxy SDKs.
How the SDK Enrollment Works
The technical pattern behind IPIDEA and similar networks follows a consistent sequence.
A third-party SDK gets integrated into an app, sometimes by the developer knowingly, sometimes through a compromised dependency. The app requests standard Android permissions: network access, background execution, location. Nothing unusual enough to trigger app store review flags.
Once installed, the SDK contacts a command-and-control server and registers the device's IP address, carrier information, geolocation, and available bandwidth. From that point forward, the device operates as an active proxy exit node. Traffic from paying proxy customers routes through the phone's connection, exits through the user's residential or mobile IP, and reaches whatever destination the customer targets.
SDK enrollment flow:
1. App installed, SDK initializes in background
2. SDK sends device fingerprint to C2 server
3. C2 assigns device to proxy pool
4. Proxy buyer connects through relay chain
5. Traffic exits through victim device IP
6. Target server sees clean residential IP
IPIDEA operated approximately 7,400 command-and-control servers, making coordinated takedown difficult. Some SDKs are sophisticated enough to throttle proxy traffic during active screen time and increase throughput when the device is idle or charging.
How to Detect if Your Device Is Compromised
Several concrete signals indicate a device may be enrolled in a proxy network.
Unexplained data consumption is the most visible indicator. A device consistently using significantly more mobile data than expected, particularly in background processes, warrants investigation. Android's per-app data usage settings reveal which apps consume background data without clear justification.
Battery drain during idle periods is another signal. Proxy SDKs maintain persistent network connections. A free VPN app consuming substantial battery while nominally idle indicates continuous background network activity that a legitimate VPN in standby would not require.
Outbound connection auditing provides the most definitive evidence. Tools like PCAPdroid or NetGuard can log outbound connections on Android without root access. Running a capture for 24-48 hours with a suspected app installed will reveal connections to IP ranges the user never visited. Dozens of unique destination IPs per day that correspond to no user activity is a strong indicator of proxy relay behavior.
Permission creep is a preliminary red flag. A VPN app requesting access to location, contacts, SMS, or detailed device identifiers has no legitimate technical requirement for those permissions. A VPN needs network access and notification permissions. Anything beyond that serves data collection.
The Residential Proxy Supply Chain Problem
IPIDEA's takedown exposed a structural issue in the proxy industry. A significant portion of residential proxy inventory available from commercial providers originates from devices whose owners never consented to participation.
The supply chain works through layers of abstraction. A free app developer integrates an SDK, often for payment. The SDK enrolls user devices. The SDK operator sells pooled IPs to proxy aggregators. The aggregators resell access through commercial proxy services. By the time a customer purchases "residential proxy" access, three or four intermediaries separate them from the compromised device owner.
This is why IP classification and trust scoring from providers like MaxMind increasingly flag residential proxy ranges. The IPs look residential because they are residential. They belong to real people who never agreed to participate.
What Actually Provides Privacy
For users who need actual VPN privacy protection, paid services with independent security audits represent the only reliable option.
ProtonVPN offers a genuinely free tier with unlimited bandwidth, no ads, and no tracking. The no-logs policy is verified by annual independent audits (most recently by Securitum in September 2025). The free tier is limited to servers in a few countries with slower speeds, but the privacy guarantees apply equally to free and paid users. Swiss jurisdiction provides additional legal protection for user data.
Mullvad VPN takes a different approach by not requiring any personal information for signup. Users pay a flat rate of approximately 5 EUR per month with no accounts, no email addresses, and no long-term commitments. The service has been independently audited and publishes transparency reports. For users whose primary concern is avoiding identification, Mullvad's anonymous account model is the most privacy-forward option among commercial VPNs.
For users who need proxy infrastructure rather than personal privacy (web scraping, verification, market research), the distinction between residential proxy botnets and carrier-grade mobile proxies matters. Providers like VoidMob operate dedicated SIM hardware on real 4G/5G carrier networks. The IPs are assigned by carriers, rotate through legitimate mobile infrastructure, and do not depend on enrolled consumer devices. No SDKs, no bandwidth harvesting, no intermediary supply chain of compromised apps.
Practical Protection Steps
Removing a suspected app is not always sufficient. Some proxy SDKs register persistent background services that survive uninstallation.
Audit all installed apps and remove any free VPN or utility app without a transparent revenue model. Check background processes through Android Developer Options to identify unfamiliar services. Run a network traffic capture for 48 hours using PCAPdroid and flag any app making connections to IPs that were not user-initiated. If a device has hosted a suspected proxy SDK app for an extended period, a factory reset is the safest remediation path.
For ongoing protection, avoid free VPN apps entirely. The economics are straightforward: VPN infrastructure costs real money to operate. If a service charges nothing and displays no ads, bandwidth resale or data harvesting is the revenue source. Paying for a VPN with verified audits is the minimum baseline for actual privacy.
FAQ
How do free VPNs make money if they charge nothing?
Three primary methods: selling browsing data and device telemetry to advertisers, reselling user bandwidth through proxy networks (the Hola/IPIDEA model), and injecting ads or affiliate cookies into browsing sessions. Many services combine all three.
Can Google Play Protect detect proxy SDKs?
Detection lags behind deployment. Google removed IPIDEA-linked apps after the 2026 investigation and Play Protect now flags PROXYLIB-associated code. But new SDK variants continue appearing, and the gap between deployment and detection can span months or years.
Is a paid VPN always safe?
Not automatically. A paid subscription eliminates the bandwidth-resale incentive but does not guarantee privacy. Look for services that publish independent security audits, operate under strong privacy jurisdictions, and maintain verifiable no-logs policies. ProtonVPN and Mullvad both meet these criteria.
What is the difference between residential proxies and mobile proxies?
Residential proxies route through consumer ISP connections, which may originate from compromised devices. Mobile proxies route through carrier infrastructure on dedicated SIM hardware. The sourcing distinction determines whether the IP comes from a consenting infrastructure provider or an unknowing device owner.