Google sounds alarm over fake VPN apps stealing user data

Google has warned billions of smartphone users to beware of a surge in fake virtual private network (VPN) apps that are stealing sensitive personal and financial data under the guise of protecting privacy.

The alert, part of Google’s November 2025 Fraud and Scams Advisory, highlights how cybercriminals are exploiting rising demand for online security tools. Many of the fraudulent VPN apps mimic trusted brands or use explicit advertising to lure users, only to infect their devices with spyware and data-stealing malware once installed.

“These apps often appear genuine and even perform basic VPN functions,” said Laurie Richardson, Google’s vice president of trust and safety. “But behind the scenes, they can compromise passwords, banking details and private messages.”

Read More: China-led team launches deep-sea AI model to boost ocean research

Google said attackers have been capitalising on a global increase in VPN use, driven by new online safety laws in the US and UK restricting access to adult content. The company warned that some counterfeit apps may even reach official app stores, backed by fake reviews and polished designs that make them appear legitimate.

Once installed, these malicious programs can deliver info-stealers, banking trojans and remote access tools capable of extracting browsing histories, cryptocurrency data and stored credentials.

Experts say the scams exploit a common misconception that VPNs guarantee total anonymity. “A VPN can mask your IP address, but it doesn’t make you invisible,” Richardson said, cautioning that users should treat any app promising complete privacy with skepticism.

Google advised users to download VPNs only from verified sources, such as the Play Store, and to avoid free services that request excessive permissions like access to contacts or messages.

Cyber-security researchers note that while VPNs can still help bypass regional restrictions and add a layer of encryption on public Wi-Fi, they are no substitute for a comprehensive security setup.

The company’s latest alert follows a string of warnings about malware targeting Gmail, Google Messages and Chrome users — part of an escalating effort to curb the wave of digital scams and spyware targeting everyday internet users.