- Yandex’s tracking tool found in 16 of the most popular free VPNs in Russia
- Active connections to Russian servers were detected immediately upon app launch
- Users have “no way” to disable tracking in the VPN client settings
A new study has identified a potential security risk in nearly one-fifth of the most popular free VPN apps in Russia, with researchers warning of active connections to servers within the country.
Researchers at internet freedom group RKS Global discovered traces of Yandex.Metrica — an analytics tool owned by Russian tech giant Yandex — embedded in 16 of the 87 applications they tested.
By monitoring network traffic, the team confirmed these apps were making active requests to Russian infrastructure, regardless of which VPN server the user had selected.
However, because the traffic was encrypted, they could not verify what specific data was being sent. The report clarifies that there is currently “no evidence” that these apps are transferring enough information to lead to the direct persecution of users.
Instead, the research highlights a potential structural risk. As a Russian entity, Yandex is legally required to store metadata for up to three years and provide authorities access upon request. The researchers argue that even if the developers aren’t intentionally “spying,” the presence of this tracking tool creates a persistent data pipeline into a jurisdiction where digital rights are under heavy fire.
Because the tool is baked into the apps’ core code, it pings the Russian servers the moment the software is launched, and users have no way to disable this behavior in the settings.
Which VPNs include links to Yandex?
To investigate whether Russia’s most popular free VPNs are communicating with domestic servers, RKS Global analyzed a list of the 87 most-downloaded services — 69 on Android and 18 on iOS.
Among the affected apps were four iOS services (VPN-VPN Secure, VPN Fast VPN 360 unlimited, VPN – Buck Super, and Super Fly VPN 2026) and 12 Android apps, including Pulya VPN, Planet VPN, JumpJumpVPN, and Turbo VPN.
Notably, Turbo VPN had already been flagged in August 2025 for having SDK-level ties to both Russia and China.
The researchers highlighted several technical limitations to their findings. Because the study focused on end-user device applications, it could not account for data transmission occurring directly from a VPN’s own servers to third parties.
Furthermore, the report clarifies that there is currently “no evidence” that these apps are transferring enough information to lead to the direct persecution of users, though the structural risk of using Russian-linked analytics remains high.
Why Yandex.Metrica Matters
Using a VPN that contains traces of Yandex.Metrica should be a significant red flag for privacy-conscious users — and not just because of the company’s legal obligations to the Kremlin.
In 2021, Russia’s “Smart Voting” website — an opposition-led project designed to coordinate tactical voting against pro-government candidates — was found to be running Yandex.Metrica with Webvisor enabled.
This tool recorded individual user sessions, essentially “filming” what a user did on the page and potentially capturing sensitive information typed into forms. For a site used by activists and opposition voters, this created a direct path for the state to identify participants.
The scandal prompted RKS Global to conclude that “Yandex.Metrica is not the analytics tool you should use if you need to preserve privacy from the Russian state.”
The following year, a Financial Times investigation revealed that Yandex had embedded data-harvesting code into the SDKs used by thousands of app developers worldwide. This raised global alarms that “metadata” — often dismissed as harmless —could be used by the Kremlin to track user movements and habits across the web.
For a VPN user, the implication is significant: the very software used to hide your digital footprint may be hosting a component technically capable of mapping it for authorities.
While RKS Global did not find evidence of active session recording in these 16 VPN apps, the presence of the Yandex SDK creates a “structural vulnerability.” Given that Yandex is legally required to provide stored data to Russian security services upon request, using these applications presents a persistent privacy risk that users cannot ignore.
Yandex.Metrica should concern VPN users who care about their privacy
Alexey Kozliuk, Chairman of the industry group VPN Guild, told TechRadar that even a secure VPN tunnel cannot fully protect you if the app itself is leaking data from the inside. While the VPN may encrypt your browsing traffic, analytics SDKs can still harvest unique identifiers directly from your device.
“Yandex’s own AppMetrica documentation shows telemetry fields that can include unique device identifiers, IP address at the time of the event, and other device and network attributes. Such a fingerprint makes it easier to connect activity to a particular device over time,” Kozliuk told TechRadar.
While these VPN apps with links to Yandex target a global audience, users within Russia face a much more immediate threat. The Kremlin has been aggressively clamping down on VPN access.
If you are looking for a free VPN that prioritizes transparency and security over data monetization, we recommend avoiding “unlimited” free VPNs that rely on invasive analytics. According to our latest testing, PrivadoVPN Free, Proton VPN Free, and Amnezia VPN Free are currently the best options.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
https://cdn.mos.cms.futurecdn.net/gigKZshKf9kKmkxW4zXnqX-959-80.jpg
Source link
chiara.castro@futurenet.com (Chiara Castro)
