While Russia is actively preparing for a complete VPN ban, the Cyber Police continues to warn citizens against using IP-changing services. The Department for Combating Cybercrime of the Russian Interior Ministry (MVD) has discovered the Flash VPN app, which instead of providing access to a virtual private network, installs a banking trojan on the device. The app was distributed through third-party websites, not through Google Play. Against the backdrop of a sharp increase in demand for VPN in Russia, this is yet another reminder: a free service from an unverified source can cost you dearly.

The MVD asks users to delete VPN on Android

Why VPN Is Dangerous on Android

The Flash VPN app performs no VPN functions whatsoever. Under the guise of an IP-changing service, it distributes a banking trojan and a loader for additional malware. This was reported on May 26, 2026, by the Department for Organizing the Fight Against Unlawful Use of Information and Communication Technologies of the Russian Interior Ministry.

After installation, the app gains access to several key channels on the device:

  • SMS messages, including bank transaction confirmation codes
  • Push notifications from banking and other apps
  • Banking app data

Additionally, the trojan is capable of downloading other malicious modules to the smartphone in the background, without the owner’s knowledge. Essentially, the attackers gain the ability to monitor the victim’s banking activity and intercept one-time codes for confirming transfers.

Why People Download VPN in Russia

The scammers chose the VPN wrapper deliberately. After restrictions were introduced on Telegram and a number of other services in Russia, the popularity of VPN apps surged dramatically. In March 2026, the five most popular apps on Google Play were downloaded 9.2 million times — 14 times more than during the same period a year earlier. In total, from March 2025 to March 2026, combined installations reached 35.7 million.

VPN popularity in Russia is growing every day

The peak came in the first quarter of 2026: 21.27 million downloads. When millions of people are urgently searching for any working VPN, some of them inevitably go beyond Google Play — to third-party websites, chats, and file-sharing services. This is exactly what attackers exploit: they offer a “working free VPN” that actually hides a trojan.

Does a Safe VPN Exist

The MVD recommends downloading apps only from official stores. However, the agency immediately adds a caveat: even this does not provide a 100% guarantee of security. Malicious apps periodically appear on Google Play as well, although it has a pre-screening system in place.

Several rules that will reduce risk:

  • Do not install VPN apps from third-party websites, messengers, or file-sharing services. APK files from unknown sources are the main distribution channel for such trojans
  • On Google Play, pay attention to the “Data Safety” section on the app’s page. Some VPN services undergo independent verification from the App Defense Alliance (there will be a corresponding mark)
  • Do not give VPN apps access to SMS and notifications (a real VPN has no reason to request such permissions)
  • If an app requests suspiciously many permissions after installation, especially for SMS and banking data, delete it and scan your device with an antivirus

Rules for Protecting Android from Hacking

This warning applies to any owner of an Android smartphone or tablet who uses a free VPN. Especially those who install apps not from Google Play. If you downloaded a service app from an unfamiliar website or a Telegram channel, it makes sense to check what permissions it requested.

Revoke unnecessary permissions from VPN

To do this, open “Settings,” then “Apps,” find the needed app and go to the “Permissions” section. If the VPN has access to SMS, phone calls, or notifications, that’s a reason to be alarmed and delete it.

If you have Flash VPN installed — delete the app, change your banking service passwords, and scan your device with an antivirus. You should also check your SMS and notification history: if the trojan was already intercepting confirmation codes, attackers may have gained access to your finances.