GoKawiilUpdate: May 15, 2026 (11:15 AM ET): Following the publication of the original article below, Google reached out to us to provide the following statement:
This issue only affects devices that have downloaded a malicious app. Android users are automatically protected against known malicious apps by Google Play Protect.” – A Google spokesperson
The fact that a malicious app needs to have made its way onto your device to exploit this narrow loophole is something we emphasized below. Google appears to be taking the position that you’re therefore protected from this vulnerability at the app download level. That is, of course, as long as the malicious app in question is “known.”
Original article: May 7, 2026 (6:06 PM ET): A VPN that can leak your location is a pretty big failure of the tech at the best of times, but it’s especially concerning when Android’s lockdown controls exist to reassure you that it won’t happen. That’s the problem GrapheneOS has now addressed in Android 16, with a fix for a VPN flaw Google has reportedly decided to leave alone.