A critical vulnerability in Android 16 has surfaced, prompting privacy concerns as research reveals that certain apps can circumvent VPN protections and disclose users’ real IP addresses, even when strong security configurations are in place.
Understanding the VPN Bypass Issue
The security flaw, identified as the “Tiny UDP Cannon,” enables any standard Android application with minimal permissions to leak network data outside the VPN encryption. This vulnerability persists even when the “Always-On VPN” and “Block connections without VPN” settings are activated, which are intended to ensure comprehensive traffic protection.
Technical Details of the Exploit
The root of the problem lies within Android’s ConnectivityManager service. A malicious app can leverage system processes with elevated privileges, which are not constrained by VPN routing protocols, to transmit data. This occurs when the system_server process, acting independently of VPN rules, sends data over the device’s physical network interface, such as Wi-Fi, once an application exits or its socket is closed.
Security Implications and User Risks
This vulnerability undermines the Android VPN trust framework, allowing attackers to reveal users’ real public IP addresses, extract data beyond encrypted VPN connections, and potentially track users despite privacy measures. The flaw was confirmed on a Pixel 8 running Android 16 with Proton VPN, while the lockdown mode was active.
Key indicators of compromise include unauthorized UDP network activity, exposure of the device’s real IP address, and data being sent to attacker-controlled destinations. The exploit utilizes permissions like INTERNET and ACCESS_NETWORK_STATE, further complicating Android’s security landscape.
Response and Mitigation
Despite its disclosure to Google’s Android Vulnerability Reward Program in April 2026, the vulnerability was deemed “Won’t Fix (Infeasible)” by the Android Security Team, as it did not qualify for a security bulletin. However, a temporary workaround involves disabling the QUIC feature through an ADB command, although this is not a permanent solution and may be subject to removal in future updates.
As the use of VPNs continues to expand, vulnerabilities like this could become significant vectors for data leaks and surveillance. Users and IT security professionals are advised to remain vigilant for unusual network activities and apply temporary mitigations until a permanent fix is released.
Stay updated on similar developments by following our coverage on Google News, LinkedIn, and X.
