Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A newly disclosed flaw in Android 16 is raising serious privacy concerns after researchers revealed that malicious apps can bypass VPN protections<\/a> and expose a user\u2019s real IP address even when strict security settings are enabled.<\/p>\n The vulnerability, dubbed the \u201cTiny UDP Cannon,\u201d allows any regular Android app with basic permissions to leak network traffic outside the VPN tunnel.<\/p>\n This bypass works even when users enable \u201cAlways-On VPN\u201d and \u201cBlock connections without VPN,\u201d two features designed to enforce complete traffic protection.<\/p>\n At the core of the issue is a design flaw in Android\u2019s ConnectivityManager service.<\/p>\n Instead of sending network traffic directly, a malicious app can register a payload with the system process (system_server), which operates with elevated privileges and is not bound by VPN routing rules.<\/p>\n Once the app exits or its socket is destroyed, system_server sends the attacker-controlled data over the device\u2019s physical network interface, such as Wi-Fi, completely bypassing the VPN.<\/p>\n This behavior stems from the method:<\/p>\n The method lacks:<\/p>\n As a result, even apps with only auto-granted permissions, such as INTERNET and ACCESS_NETWORK_STATE, can exploit this mechanism.<\/p>\n The vulnerability effectively breaks Android\u2019s VPN trust model. Attackers can:<\/p>\n The issue was successfully tested on a Pixel 8 running<\/span>\u00a0Android 16 with Proton VPN enabled and lockdown mode active.<\/p>\n Below are key indicators associated with exploitation:<\/p>\n The issue was reported to Google\u2019s Android Vulnerability Reward Program (VRP)<\/a> in April 2026.<\/p>\n However, the Android Security Team classified it as \u201cWon\u2019t Fix (Infeasible)\u201d. It stated that it does not meet the criteria for inclusion in a security bulletin.<\/p>\n Despite this, researchers argue that the flaw poses significant privacy risks, especially for users who rely on VPNs for anonymity.<\/p>\n A temporary mitigation exists via an ADB command<\/a> that turns off the vulnerable QUIC feature:<\/p>\n After rebooting, the system stops sending the registered payloads, effectively blocking the leak.<\/p>\n However, this is not a permanent fix and may be removed in future updates.<\/p>\n Researchers at lowlevel.fun warned<\/a> that system-level exemptions can unintentionally bypass key mobile security protections.<\/p>\n As VPN usage continues to grow, such bypasses could become a critical attack vector for surveillance and data leakage.<\/p>\n Users and security teams are advised to monitor unusual network activity and apply mitigations where possible until an official fix is introduced.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAndroid 16 VPN Bypass<\/strong><\/h2>\n
\n
\n
\n
Indicators of Compromise (IOCs)<\/strong><\/h2>\n
\n
\n