GoKawiilReports surfaced this week that Android 16 may have a vulnerability that allows apps to ignore VPNs and send IP information, regardless of settings. A security engineer based in Zurich posted about the bug on the website lowlevel.fun, writing that the engineer reported it through Google's Vulnerability Reward Program, which pays rewards to security researchers who find bugs in Android apps. The findings were reposted by VPN provider Mullvad on the company's blog.
But the engineer shared logs showing that Android's security team closed the report, saying it was "infeasible" to fix and wasn't considered a high enough priority for the security team. The engineer did not immediately respond to a request for comment.
"This issue only affects devices that have downloaded a malicious app," a representative for Google told CNET in an email.
The Google representative said Google Play Protect automatically protects users from known malicious apps, although by definition, newly emerging threats may not yet be recognized by automated detection systems.
A VPN, or virtual private network, is software that encrypts your internet traffic and masks your IP address. It allows you to keep your online activity private from your internet service provider or make apps and websites believe you're in a different state or country.
This bug involves the ConnectivityManager system service in Android 16, which allows apps to send a final message to web servers telling them an online connection has completely ended. But this service currently bypasses the VPN tunnel, leaving traffic unencrypted and exposing sensitive information, including your device's real IP address, regardless of the server location you choose.
In this case, the type of VPN an Android user is using -- along with its permissions or encryption settings -- is irrelevant. This vulnerability bypasses those protections entirely.
Notably, the issue persists even when you have "Always-on VPN" or "Block connections without VPN" enabled. Those settings are designed to prevent any online activity without a VPN connection, so the bug could leave people with a false sense of security. That's particularly concerning for people with critical privacy needs.
There's no evidence that this vulnerability has been exploited to gather device data, but Google leaving the bug unresolved means the issue won't go away for Android 16 users. However, Android-based GrapheneOS patched the issue, according to Mullvad, indicating that the bug can be fixed. If you're worried about the privacy implications of the bug, Mullvad recommends switching to GrapheneOS.
There is one alternative that Android users can try. The security engineer who discovered the issue also found a debug command that works on Android devices when USB debugging is enabled. (You can download the Android Debug Bridge if necessary.) But the blog post also cautions readers to only try the workaround if they understand the implications of shutting down features in USB debugging mode.
... continue reading