Virtual private networks have been popular among computer users for some time, and they’re starting to find their way onto more Android devices as an increasing number of apps, such as photo editor Meitu, harvest user location data. But researchers have found that many of these VPNs are security nightmares.

Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO), along with security researchers from the University of South Wales and UC Berkley, tested 283 VPN apps from Google’s Play Store. The results showed that 38 percent of them contained some form of adware, malvertising, trojan, riskware, or spyware. Additionally, 67 percent featured at least one third-party tracking library and 82 percent request permissions to access sensitive data, including user accounts and text messages.

The VPNs also fell short in other areas: 18 percent of them didn’t encrypt traffic, 16 percent routed it through other users of the same app (rather than using dedicated servers), 84 percent had IPv6 traffic leaks, and 66 percent had DNS leaks.

“Both the lack of strong encryption and traffic leakages can ease online tracking activities performed by inpath middleboxes (e.g., commercial WiFi [Access Points] harvesting user’s data) and by surveillance agencies,” warns the report.

One might imagine that the apps in question are quite unpopular and come with a slew of negative reviews, but this often isn’t the case. “37% of the analyzed VPN apps have more than 500K installs and 25% of them receive at least a 4-star rating,” the researchers write.

The report lists the ten worst VPN apps using an anti-virus (AV) ranking based on the researchers’ findings, though it’s worth noting that OKVpn, EasyVPN, and sFly Network Booster are no longer listed on the Play Store.

Despite the VPNs’ issues, only a small number of users - around one percent - raised concerns in the apps’ reviews. So remember to do your research if you intend on installing an Android VPN, especially if it’s free.