privacy – Security risks of using Android VPNs?

I download a VPN app from Google play and start a firewall on my Android phone. Now, I open the VPN app and I can see the vpn requesting to it’s server. Quite normal.

When the VPN gets connected, the firewall on the Android phone is disabled. I know that apps can request for various permissions and some of them are automatically granted (Like the internet permission). Also, recently I heard about Bad TOR exit nodes. Those can be used to inspect network traffic.

Now, let’s come to my questions:

What information does the VPN can collect ie. Mac, Device ID, IP, ISP information?

What are the ways to stop them from collecting these info?

Can VPN vendors do something similar to TOR?

Can ISP sniff on VPN (Poorly configured free VPNs)?