International 
Politics 
Local 
Finance 
Sports 
Entertainment 
Lifestyle 
Technology 
Literature 
Science 
Health 
2 weeks ago
12
Google Android 16 bug leaks info from all VPN apps.
SOPA Images/LightRocket via Getty Images
Updated May 15: This article, originally published May 14, has been updated with a statement from a Google spokesperson regarding the Android 16 vulnerability that allows a malicious app to bypass VPN protections, regardless of which VPN you use or how strict your Android device’s VPN configuration settings are. Details of iOS VPN limitations have also been added to help iPhone users be aware.
A security researcher has published a technical paper detailing how Android 16 has introduced a bug that essentially bypasses VPN protections, affecting all VPN apps. Whether you have enabled the “Always-On VPN” or “Block connections without VPN” settings is immaterial; Android 16 can still leak traffic outside of the VPN protected tunnel. This means that your real IP address is visible on the internet, with all the potential for tracking and surveillance issues that come with it. But here’s the kicker: the researcher reported the bug through the Android Vulnerability Reward Program only for Google to close the issue and mark it as “Won’t Fix” for falling outside of the threat model.
ForbesGoogle Targets Caller ID Spoofing As Scam Losses Reach $980 Million AnnuallyBy Davey Winder
The Android 16 VPN Vulnerability Explained
My attention was drawn to the issue when Yusef, a security researcher based in Zurich who goes by the X handle of @cybaqkebm, posted a simple statement: “Turns out ‘Always-On VPN’ and ‘Block connections without VPN’ features on Android aren't that reliable.” The link in the tweet led me to a highly technical report detailing an Android 16 VPN bypass. The gist of it is that the two settings mentioned, meant to be a hard guarantee that no information will leave your device outside of the established VPN tunnel, are nothing of the sort.
Given that Google has previously warned about the dangers of malicious VPNs and advised users to “only download VPN apps from official sources, and check for apps with the VPN badge in Google Play,” you might think that this would be something that it would take very seriously indeed. Yet, Yusef has confirmed, after reporting the vulnerability through the Android VRP, “apparently, it is not in their threat model.” Indeed, the issue was closed as Won’t Fix (infeasible) and, according to a Mullvad VPN alert, the app vendor has also now reported the issue on the Android issue tracker. This is an important point, as Mullvad noted the vulnerability “affects all VPN apps” on the Android 16 platform.
The TL;DR technical overview is, Yusef said:
A Binder method on ConnectivityManager, registerQuicConnectionClosePayload, accepts an arbitrary byte buffer and a UDP socket from any caller with INTERNET and ACCESS_NETWORK_STATE (both auto-granted). When the registered socket dies, system_server sends the buffer on the socket’s original network. No permission check, no payload validation, no awareness of the VPN-lockdown state of the calling UID. With one slightly cute trick to slip past the fwmark server, an attacker app can use that primitive to leak the user’s real IP past an active VPN.In other words, a malicious app can send traffic outside the VPN tunnel, regardless of what VPN app you are using or how strict your Android 16 VPN configuration is.
A Google spokesperson provided me with the following statement: "This issue only affects devices that have downloaded a malicious app. Android users are automatically protected against known malicious apps by Google Play Protect."
OK, so ensuring that you never install a malicious app on your device would be the primary mitigation against falling victim to this Android 16 vulnerability, seems to be the advice from Google. Which is, of course, good as far as it goes. But the problem here is that Google Play Protect means, as the Google statement admits, that users are only “automatically protected against known malicious apps.” That doesn’t mean a lot if unknown malicious apps get into the Play Store and are downloaded 7.3 million times before it is noticed that they are dangerous and removed, as I reported on May 10.
Given that malicious app avoidance isn’t a given, if you see what I mean, the only current mitigation would appear to be as follows: the user must manually amend a DeviceConfig setting. Something, dear reader, that I would not recommend most users attempt. As Yusef warned, “Use it only if you understand the implications and on your own risk.” Actually, there is another mitigation: switch to Graphene OS, as it has already resolved the issue. Again, not something most users will want to do.
And before you start to think that maybe an iPhone is the answer, there’s some bad news on that front as well. A reader contacted me to say that they had seen this article and that “This is the same as Apple, where they have now actually updated their privacy information to state that some resolution may take place outside of the VPN.” Investigating this further, I discovered this in, indeed, the case. In a December 12, 2025 VPNs and privacy legal posting, Apple confirmed that “not all your device’s network traffic will be routed through an active VPN.” The legal statement went on to state that “if an app developer specifies a required type of connection for their app, such as mobile data only, network traffic from that app is excluded in active VPN configurations. On iOS, iPadOS and visionOS devices, your VPN provider can choose to override this choice and prevent most apps, services and system functions from routing network traffic outside of an active VPN configuration.”
As for Android, it’s over to Google to see whether the “won’t fix” Android 16 vulnerability response will be amended. If not, it won’t be the first Google security gaffe, but let’s hope that media and app vendor pressure can come to bear in this case.
English (US)