Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Reports emerged this week that Android 16 There may be a vulnerability that allows applications to be ignored VPNs And send IP information, regardless of settings. A security engineer based in Zurich posted a report on the bug On the website lowlevel.funHe wrote that the engineer reported it through Google’s vulnerability bounty program, which pays bounties to security researchers who find bugs in Android apps. The results have been republished by VPN provider mole on Company blog.
But the engineer shared logs showing that the Android security team closed the report, saying it was “unfeasible” to fix and not considered a high enough priority for the security team. The engineer did not immediately respond to a request for comment.
“This issue only affects devices that have downloaded a malicious app,” a Google representative told CNET in an email.
A Google representative said Google Play Protect automatically protects users from known malicious apps, although by definition, newly emerging threats may not be identified by automated detection systems.
A VPN, or virtual private networkIt is a program that encrypts your Internet traffic and hides your IP address. It allows you to keep your online activity private from your ISP or make apps and websites think you’re in a different state or country.
This error involves the ConnectivityManager system service In Android 16which allows applications to send a final message to web servers telling them that online communication has completely ended. But this service currently bypasses the VPN tunnel, leaving your traffic unencrypted and exposing sensitive information, including your device’s real IP address, regardless of the server location you choose.
In this case, the type of VPN the Android user is using — as well as their permissions or encryption settings — are irrelevant. This vulnerability bypasses all protections.
Notably, the issue persists even when “Always-on VPN” or “Block connections without VPN” are enabled. These settings are designed to prevent any online activity without a VPN connection, so the error may leave people with a false sense of security. This is especially worrying for people who suffer from Critical privacy needs.
There’s no evidence that this vulnerability was exploited to collect device data, but Google leaving the bug unresolved means the issue won’t go away for Android 16 users. However, Android-based GrapheneOS has patched the issue, according to Mulvad, suggesting the bug can be fixed. If you’re concerned about the privacy implications of this bug, Mullvad recommends switching to GrapheneOS.
There is one alternative that Android users can try. The security engineer who discovered the issue also found a debug command that works on Android devices when USB debugging is enabled. (You can download Android Debug Bridge If necessary.) But the blog post also warns readers to only try the workaround if they understand the implications of turning off features in USB debugging mode.
You can You can find more information on how to enter it herebut note that subsequent Android updates may undo this fix, so it should not be considered a permanent solution.