Android 16 VPN Bug Can Leak Users’ Real IP Addresses, Researcher Claims
Published
Key Takeaways
- Android 16 VPN vulnerability: Researchers claim apps can bypass VPN tunnels and expose users’ real IP addresses.
- Google response: Google reportedly marked the Android 16 VPN issue as outside its official threat model.
- Broader VPN concerns: Apple previously acknowledged some iPhone and iPad traffic may bypass active VPN connections.
Android 16 users may face a serious privacy concern after a newly disclosed security issue revealed that apps could potentially bypass VPN protections and expose a device’s real IP address online.
The issue reportedly affects all VPN services on Android 16, including setups where users have enabled security features like “Always-On VPN” and “Block connections without VPN.” Security researchers claim that, despite these settings, certain traffic can still escape the encrypted VPN tunnel under specific conditions.
The finding has sparked criticism after Google reportedly categorized the issue as outside its threat model instead of issuing a fix.
Google Says Threat Depends on Malicious Apps
Google responded to the disclosure by stating that the issue only becomes dangerous if a user installs a malicious application.
A company spokesperson said Android users are protected through Google Play Protect, which automatically scans and blocks known harmful apps. However, cybersecurity experts note that Play Protect is mainly effective against already identified threats, while newly emerging malicious apps can sometimes remain undetected for long periods.
This has raised concerns because the reported vulnerability does not target a specific VPN provider. Instead, researchers say it impacts Android 16 itself, meaning any VPN app running on the operating system could potentially be affected.
Researcher Claims Android VPN Lockdown Can Be Circumvented
The issue was disclosed by a Zurich-based security researcher known online as Yusef (@cybaqkebm). According to the researcher, Android’s VPN lockdown protections are not functioning as securely as users may expect.
A technical report published by the researcher describes how a system component within Android’s ConnectivityManager can allegedly be abused by apps that only require common permissions automatically granted during installation, including INTERNET and ACCESS_NETWORK_STATE.
The report claims that this mechanism allows data to be transmitted outside the protected VPN tunnel, exposing a user’s actual IP address to external servers even while a VPN remains active.
VPN provider Mullvad later acknowledged the problem and stated that the issue affects all VPN apps running on Android 16. The company has also reportedly submitted the issue through Android’s official bug tracking system.
No Simple Fix Currently Available for Most Users
At present, there is no official patch from Google addressing the reported behavior.
The researcher mentioned that advanced users could manually change certain DeviceConfig settings as a temporary mitigation, although they warned that the process carries risks and should only be attempted by users who understand Android’s internal configuration system.
Another possible solution is switching to GrapheneOS, a privacy-focused Android operating system that has reportedly already addressed the vulnerability. However, replacing Android with a custom operating system is not considered a practical option for most everyday users.
For now, the safest recommendation appears to be avoiding untrusted apps and limiting downloads to reputable sources.
Apple Previously Acknowledged Similar VPN Traffic Limitations
The Android disclosure has also renewed attention around VPN limitations on Apple devices.
In a legal privacy-related document published in December 2025, Apple stated that not all network traffic on iPhones, iPads, and Vision Pro devices is guaranteed to pass through an active VPN connection.
According to Apple, developers can configure apps to use specific connection types, which may result in some traffic bypassing VPN routing unless the VPN provider actively blocks it.
Although the technical details differ from Android’s reported issue, both disclosures highlight that VPN services may not always provide complete traffic isolation at the operating system level.
Google has not announced any plans to reconsider its reported “Won’t Fix” decision, leaving uncertainty around whether the Android 16 issue will receive an official security update in the future.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular