Android 16 has a bug that lets apps route traffic outside your VPN tunnel and expose your real IP address, even with strict VPN settings enabled.
That VPN you are running on your Android 16 device may not be doing as much as you think. A newly discovered bug in Android 16 allows any app on your device to send traffic outside your VPN tunnel, exposing your real IP address to the internet, regardless of which VPN you use or how locked down your settings are.
The vulnerability was first reported by a Zurich-based security engineer going by the handle @cybaqkebm, and was later flagged by VPN provider Mullvad, which confirmed the bug affects all VPN apps on Android 16, not just its own. How bad is this and what does Google have to say? The bug involves a system service in Android 16 called ConnectivityManager. It is designed to let apps send a final message to web servers when a connection ends.
The problem is that this service bypasses the VPN tunnel entirely, sending data unencrypted and leaking your real IP address in the process. Recommended Videos The security engineer reported the issue through Google’s Vulnerability Reward Program.
However, Google‘s response was to close the report and mark it as ‘Won’t Fix,’ describing it as outside their threat model. A Google spokesperson told CNET that the issue only affects devices that have downloaded a malicious app, and that Google Play Protect automatically shields users from known malicious apps. The problem is that Play Protect only covers apps it already recognizes.
Unknown malicious apps have previously slipped into the Play Store and racked up millions of downloads before being removed. Is there anything you can do right now? Your options are limited, and none of them are particularly user-friendly. A technical workaround exists involving a debug command, but the researcher who found the bug warned people to only attempt it if they fully understand the implications.
It may also get wiped by future Android updates. GrapheneOS, a security-focused Android variant, has already patched the issue, but switching operating systems is not realistic for most users. There is no evidence of active exploitation yet, but with Google declining to act, the safest advice for now is to be very careful about what you install.
Android 16 Bug Google VPN VPN Bug
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
The Common Mistake That's Filling Your Android Phone's StorageYour immediate impulse to clear storage might be to delete some precious memories, but there's often a more subtle culprit: an overabundance of apps.
Read more »
A first (and second) look at the Android XR glasses launching this yearThree!! Android XR!!! glasses!!! this year!!!
Read more »
Android Halo could be the missing link between Android and AI agentsGoogle’s new Android Halo feature hints at a future where AI quietly works alongside you instead of demanding constant attention. The most interesting part is how little it tries to get in your way.
Read more »
Bitcoin Developer Launches Privacy-Focused Nostr VPN Using Public KeysOne of the earliest Bitcoin developers launched a new privacy-focused version of Nostr VPN that replaces email and other centralized identity providers with cryptographic keys.
Read more »