This week there were reports that Android 16 could be vulnerable allowing applications to ignore it VPNs and send IP information, regardless of settings. A Zurich-based security engineer posted about the bug on the website lowlevel.fun, writing that the developer reported it through Google’s Vulnerability Rewards program, which pays rewards to security researchers who find bugs in Android apps. Found reposted by Mullvad VPN Provider on the company’s blog.
But the developer shared logs showing that Android’s security team closed the report, saying it was “impossible” to fix and that it wasn’t considered a high enough priority for the security team. The developer did not immediately respond to a request for comment.
“This issue only affects devices that have downloaded the malicious application,” a Google representative told CNET in an email.
A Google spokesperson said that Google Play Protect automatically protects users from known malicious apps, although by definition, new emerging threats may not be detected by automatic detection systems.
A VPN, or virtual private networksoftware that encrypts your internet traffic and masks your IP address. It allows you to keep your online activity private from your internet service provider or make apps and websites believe you are in a different state or country.
This bug involves the ConnectivityManager system service on Android 16which allows applications to send a final message to web servers telling them that the connection to the Internet has ended. But this service currently bypasses the VPN tunnel, leaving the traffic unencrypted and revealing sensitive information, including the real IP address of your device, regardless of the server location you choose.
In this case, the type of VPN the Android user is using — and its permissions or encryption settings — doesn’t matter. This vulnerability bypasses those protections entirely.
Notably, the problem persists even if you have “VPN always on” or “Block connections without VPN” enabled. Those settings are designed to prevent any activity on the internet outside of a VPN connection, so a bug can leave people with a false sense of security. That mainly affects four people important privacy requirements.
There is no evidence that this vulnerability has been exploited to collect device data, but Google leaving the bug unaddressed means that the problem will not go away for Android 16 users. However, GrapheneOS based on Android released the issue, according to Mullvad, which shows that the bug can be fixed. If you’re concerned about the privacy implications of the bug, Mullvad recommends switching to GrapheneOS.
There is another method that Android users can try. The security engineer who discovered the problem also found a debugging command that works on Android devices when USB debugging is enabled. (You can download the Android Debugging Bridge if necessary.) But the blog post also cautions readers to attempt troubleshooting only if they understand what it means to disable features in USB debugging mode.
You can find more information on how to install it here, but note that the next Android updates may reverse this fix, so it should not be considered a permanent solution.
