A little old, but many of these "VPNs" are still probably insecure...
For the record, from August 2016:
Millions of users worldwide resort to mobile VPN clients to either
circumvent censorship or to access geo-blocked con-tent, and more
generally for privacy and security purposes. In practice, however,
users have little if any guarantees about the corresponding security
and privacy settings, and perhaps no practical knowledge about the
entities accessing their mobile traffic. In this paper we provide
a first comprehensive analysis of 283 Android apps that use the
Android VPN permission, which we extracted from a corpus of more than
1.4 million apps on the Google Play store.
We perform a number of passive and active measurements designed to
investigate a wide range of security and privacy features and to study
the behavior of each VPN-based app. Our analysis includes
investigation of possible malware presence, third-party library
embedding, and traffic manipulation, as well as gauging user
perception of the security and privacy of such apps. Our experiments
reveal several instances of VPN apps that expose users to serious
privacy and security vulnerabilities, such as use of insecure VPN
tunneling protocols, as well as IPv6 and DNS traffic leakage. We
also report on a number of apps actively performing TLS
interception. Of particular concern are instances of apps that
inject JavaScript programs for tracking, advertising, and for
redirecting e-commerce traffic to external partners.
16 page pdf:
https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf
https://dl.acm.org/citation.cfm?doid=2987443.2987471
