That VPN you are running on your Android 16 device may not be doing as much as you think. A newly discovered bug in Android 16 allows any app on your device to send traffic outside your VPN tunnel, exposing your real IP address to the internet, regardless of which VPN you use or how locked down your settings are.
The vulnerability was first reported by a Zurich-based security engineer going by the handle @cybaqkebm, and was later flagged by VPN provider Mullvad, which confirmed the bug affects all VPN apps on Android 16, not just its own.
How bad is this and what does Google have to say?
The bug involves a system service in Android 16 called ConnectivityManager. It is designed to let apps send a final message to web servers when a connection ends. The problem is that this service bypasses the VPN tunnel entirely, sending data unencrypted and leaking your real IP address in the process.
The security engineer reported the issue through Google’s Vulnerability Reward Program. However, Google‘s response was to close the report and mark it as ‘Won’t Fix,’ describing it as outside their threat model.
A Google spokesperson told CNET that the issue only affects devices that have downloaded a malicious app, and that Google Play Protect automatically shields users from known malicious apps.
The problem is that Play Protect only covers apps it already recognizes. Unknown malicious apps have previously slipped into the Play Store and racked up millions of downloads before being removed.
Is there anything you can do right now?
Your options are limited, and none of them are particularly user-friendly. A technical workaround exists involving a debug command, but the researcher who found the bug warned people to only attempt it if they fully understand the implications. It may also get wiped by future Android updates.
GrapheneOS, a security-focused Android variant, has already patched the issue, but switching operating systems is not realistic for most users. There is no evidence of active exploitation yet, but with Google declining to act, the safest advice for now is to be very careful about what you install.
