You may be doing everything you can to protect your privacy online—using tools like multi-factor authentication, a secure password manager, and a VPN—but unfortunately, not all privacy-focused apps and services are actually doing what they promise. In its November fraud and scam advisory, Google is warning users about VPN apps and extensions that appear legitimate but are actually vectors for malware.VPNs may actually be spyware A VPN, or virtual private network, makes your internet activity much more difficult to track by routing your traffic through a different connection rather than your regular internet service provider (ISP). This allows you to hide your IP address and location, obscure your browsing data, and protect your information and devices from bad actors. According to Google, malicious VPNs (posing as real ones) are delivering infostealers, remote access trojans, and banking trojans to user devices once installed, allowing hackers to access sensitive personal data like browsing history, financial credentials, and cryptocurrency wallet information. This means that an app you rely on to keep your information private could be doing the exact opposite. Cybercriminals are capitalizing on user trust in these services, creating apps that look and feel like legitimate VPNs but are actually dangerous spyware. How to ensure your VPN app is safeAs with any app or extension, only download or install a VPN from an official source like the Google Play store. While malicious programs do sometimes sneak through, it's typically safer and more reliable than sideloading through a messaging app or other unvetted site. In January 2025, Google launched a VPN verification process to help users identify trustworthy VPN apps in the Google Play store. To earn a "verified" badge, VPN apps have to undergo a Mobile Application Security Assessment (MASA) Level 2 validation and opt into independent security reviews. Badges are awarded only to VPNs that have been published for at least 90 days and reach 10,000 installs and 250 user reviews. Of course, this system isn't perfect either: As TechRadar reported earlier this year, a popular (free) Chrome VPN extension earned a badge and was later discovered to be spying on users. That's why you should rely on a reputable VPN service—which means you'll likely have to pay for it. Free VPNs are far more likely to a privacy nightmare, and any app that sounds too good to be true probably is. You aren't going to get unlimited traffic at no cost without sacrificing something. Finally, review VPN permissions carefully, and allow the minimum access possible for the app or extension to function. (You should do this with any app you download, and you should audit apps regularly to remove unnecessary permissions.) You can check your VPN service's support pages to find out which permissions are essential—this should not include access to your contacts, camera, microphone, or photos, for example.