RKS Global researchers found trackers in apps that promised anonymity.
RKS Global researchers tested 87 of the most popular freeVPN apps in Russia and found that 16 of them transmit data to servers located within the country. The study was conducted from October to December 2025.
The study was motivated by the hypothesis that free VPN apps popular in Russia could pose a threat to users by collecting data sufficient to identify the user and sending it to servers within the country. It was not possible to fully prove the collection and transmission of this volume of data due to technical limitations—some of the traffic was undecipherable, and the code of some apps is protected from decompilation. Therefore, the researchers focused on a more specific question: whether the apps communicate with servers within Russia at all.
The list of apps was compiled using data from the App Store and Google Play for Russia, Google and Yandex search results, the analytics platforms appmagic.rocks and foxdata.com, and several industry-specific ratings. The final sample included 69 Android apps and 18 iOS apps. Android app traffic was analyzed using PCAPdroid, and iOS app traffic was analyzed using App Privacy Report. Server geolocation was checked using securitytrails.com and iplocation.net. All tests were conducted using accounts, IP addresses, and locations simulating work from Russia.
All sixteen affected apps use Yandex.Metrica. The analytics service transmits device data sufficient to identify the user, including MAC addresses, IMEI, network information, location, software versions, and the addresses of websites visited. Yandex is included in the Russian registry of information dissemination organizers and is required to store user metadata for up to three years, and correspondence and documents for up to six months, providing the collected data to law enforcement agencies upon request. One of the identified apps additionally sends data to its own servers within the country.
Researchers note that VPN app developers may inadvertently integrate Yandex.Metrica—simply as a convenient analytics tool, without considering the consequences for users.
The study has limitations: only endpoint traffic was analyzed; traffic from some apps could not be decrypted; the code of some Android apps is protected from decompilation, while iOS apps cannot be decompiled at all. A VPN service could theoretically transmit data directly from its servers, bypassing the user's device, but this scenario is not covered by the methodology.
RKS Global researchers tested 87 of the most popular freeVPN apps in Russia and found that 16 of them transmit data to servers located within the country. The study was conducted from October to December 2025.
The study was motivated by the hypothesis that free VPN apps popular in Russia could pose a threat to users by collecting data sufficient to identify the user and sending it to servers within the country. It was not possible to fully prove the collection and transmission of this volume of data due to technical limitations—some of the traffic was undecipherable, and the code of some apps is protected from decompilation. Therefore, the researchers focused on a more specific question: whether the apps communicate with servers within Russia at all.
The list of apps was compiled using data from the App Store and Google Play for Russia, Google and Yandex search results, the analytics platforms appmagic.rocks and foxdata.com, and several industry-specific ratings. The final sample included 69 Android apps and 18 iOS apps. Android app traffic was analyzed using PCAPdroid, and iOS app traffic was analyzed using App Privacy Report. Server geolocation was checked using securitytrails.com and iplocation.net. All tests were conducted using accounts, IP addresses, and locations simulating work from Russia.
All sixteen affected apps use Yandex.Metrica. The analytics service transmits device data sufficient to identify the user, including MAC addresses, IMEI, network information, location, software versions, and the addresses of websites visited. Yandex is included in the Russian registry of information dissemination organizers and is required to store user metadata for up to three years, and correspondence and documents for up to six months, providing the collected data to law enforcement agencies upon request. One of the identified apps additionally sends data to its own servers within the country.
Researchers note that VPN app developers may inadvertently integrate Yandex.Metrica—simply as a convenient analytics tool, without considering the consequences for users.
The study has limitations: only endpoint traffic was analyzed; traffic from some apps could not be decrypted; the code of some Android apps is protected from decompilation, while iOS apps cannot be decompiled at all. A VPN service could theoretically transmit data directly from its servers, bypassing the user's device, but this scenario is not covered by the methodology.
