A critical VPN bypass vulnerability affects Android 16, allowing apps to leak real IP addresses even when users enable strict VPN lockdown settings. While Google chose not to fix the flaw, GrapheneOS acted quickly to resolve the security gap.
- Android 16 flaw leaks IP despite VPN lockdown
- Google declines to patch, calling it infeasible
- GrapheneOS issues timely fix disabling vulnerable feature
What happened
A security researcher recently revealed a VPN bypass vulnerability affecting Android 16, dubbed the 'Tiny UDP Cannon.' This flaw allows malicious apps to leak device IP addresses by circumventing the system’s VPN lockdown features such as "Always-On VPN" and "Block connections without VPN." Despite these settings, the flaw permits traffic to escape the encrypted tunnel, breaking one of Android’s key privacy guarantees.
The vulnerability arises from a feature designed to send a short message when an app closes a network connection. Android fails to verify whether this data should be routed through the VPN or transmitted directly, creating a loophole. Any app with basic internet permission—common among most apps—can exploit this, although it requires the app to be installed on the device by an attacker.
Why it matters
This flaw is especially concerning for users who rely on VPN lockdown modes to maintain stringent privacy, such as journalists, activists, or anyone protecting sensitive data. The expectation is that no network traffic bypasses the VPN, ensuring IP anonymity. However, the bug breaks this assumption, effectively undermining the security model on impacted Android devices.
While the scenario requires a malicious app to already be present on the device, it still represents a significant risk, given the ease with which common permissions can be abused. Google's security team, however, opted not to issue an official fix, marking the vulnerability as infeasible to patch and excluding it from security bulletins. This decision leaves many users exposed unless they seek alternative solutions.
What to watch next
GrapheneOS responded promptly by disabling the problematic feature in its latest release, effectively closing the vulnerability. This fix restores the integrity of VPN lockdown at the expense of some minor network efficiency gains. For users running stock Android 16, a temporary workaround involves manual disabling of the feature via ADB commands, though this method is not permanent and can be reset by system updates or factory resets.
Going forward, privacy-conscious users should monitor if Google revisits this decision and issues a permanent system patch. Until then, switching to privacy-centered operating systems like GrapheneOS or cautious app management remains essential. The incident underscores the importance of layered privacy defenses and the limitations of relying solely on platform-level controls.