← VPNs
D

Surfshark

Serious concerns
Nord Security · 🇵🇦 Panama
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.surfshark.vpnclient.android
Manufacturer: Nord Security

⚠️ The bottom line

Surfshark's Android app requests 42 permissions — including microphone, contacts, and phone numbers. It embeds a marketing tracker. For a VPN (a tool whose entire purpose is to hide what you do online), this is like hiring a bodyguard who also photographs your diary. Mullvad VPN requires zero permissions beyond network access. ProtonVPN requires three. Surfshark requires 42. Surfshark installed a security certificate that could intercept your encrypted traffic, even when you clicked Cancel to refuse.

Legal jurisdiction
🇵🇦 Panama (headquarters)
Law 81 (2019)
Basic data protection. Enforcement weak — Panama's appeal is corporate secrecy, not privacy protection
Spying
3/4 HIGH
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
7Contradictions
1Critical
4High
2Medium
4Sources
Findings by concern
Spying 3/4 HIGH 2 findings
⚠️ criticalapp permissions vs policy claims
Surfshark's Android app requests 42 permissions — including microphone, contacts, and phone numbers. It embeds a marketing tracker. For a VPN (a tool whose entire purpose is to hide what you do online), this is like hiring a bodyguard who also photographs your diary. Mullvad VPN requires zero permissions beyond network access. ProtonVPN requires three. Surfshark requires 42.

What they claim: Surfshark is a 'privacy-first' VPN.

What we found: Android app: AppsFlyer marketing tracker, AD_ID permission. Also: RECORD_AUDIO, READ_CONTACTS, READ_PHONE_NUMBERS, ANSWER_PHONE_CALLS, QUERY_ALL_PACKAGES. 42 permissions.

⚡ highfirmware analysis vs policy claims
Surfshark installed a security certificate that could intercept your encrypted traffic, even when you clicked Cancel to refuse.

What they claim: Surfshark provides secure VPN connections.

What we found: AppEsteem (2022): installed root certificate without consent, even when user clicked Cancel. Root certs can intercept encrypted communications. Also installed TAP Driver, Avira without permission.

Data Sharing 2/4 MODERATE 1 finding
⚫ mediumpolicy claims vs regulatory findings
Surfshark advertises at $2.49/month — but only if you prepay for 2 years. When the subscription renews, it jumps to $8.25/month — more than triple the advertised price. Class action lawsuits have been filed over this pricing. The dark pattern is standard in the VPN industry: lure with a low monthly figure that requires a multi-year commitment, then triple the price when you forget to cancel.

What they claim: '$2.49/month' VPN with transparent pricing.

What we found: Intro: $1.78/month. Renewal: $8.25/month -- 363% increase. Class action lawsuits filed (California 2025). CleanWeb routes ALL DNS through Surfshark.

Security 2/4 MODERATE 1 finding
⚡ highpolicy claims vs firmware analysis
Surfshark's antivirus secretly logged every virus on your device linked to your identity. They only stopped when a journalist caught them.

What they claim: Surfshark Antivirus protects user privacy.

What we found: TechRadar: secretly logging malware names, device IDs, locations. Initially defended it. Only stopped when journalists published. Building per-user malware profiles without disclosure.

Honesty 3/4 HIGH 3 findings
⚡ highpolicy claims vs regulatory findings
Surfshark merged with NordVPN's owner and moved to a 9 Eyes country. They share marketing data under one parent company.

What they claim: Surfshark operates independently as a privacy company.

What we found: Merged with NordVPN parent (Feb 2022). Netherlands (9 Eyes). Admits sharing 'performance and marketing data.' Single parent controls both VPNs.

⚡ highpolicy claims vs app permissions
To 'protect privacy,' Surfshark asks for credit card numbers and national IDs, maps your real identity to fake ones, and was caught secretly logging antivirus data.

What they claim: Bundled features enhance privacy (Alert, Alternative ID, Antivirus).

What we found: Alert requires credit card numbers, national IDs. Alternative ID stores real-to-fake persona mapping. Antivirus caught secretly logging. Each product creates identity data contradicting VPN privacy.

⚫ mediumfirmware analysis vs policy claims
The VPN doesn't keep logs (Deloitte confirmed). But they keep account data 2 years after you cancel, and your IP flashes briefly when switching servers.

What they claim: No-logs policy protects all user data.

What we found: Core VPN no-logs verified by Deloitte. But: 15-min session logs, 2-year post-cancellation retention, ~40 virtual server locations, real IP exposed during server switching.

Sources