Android 16 Bug Allows Apps to Ignore VPNs and Leak IP Addresses
Android 16 Bug Allows Apps to Ignore VPNs and Leak IP Addresses
Publish Date: 2026-05-15 16:50:00
Source Domain: www.cnet.com
Reports surfaced this week that Android 16 may have a vulnerability that allows apps to ignore VPNs and send IP information, regardless of settings. A security engineer based in Zurich posted about the bug on the website lowlevel.fun, writing that the engineer reported it through Google’s Vulnerability Reward Program, which pays rewards to security researchers who find bugs in Android apps. The findings were reposted by VPN provider Mullvad on the company’s blog.
But the engineer shared logs showing that Android’s security team closed the report, saying it was “infeasible” to fix and wasn’t considered a high enough priority for the security team. The engineer did not immediately respond to a request for comment.
“This issue only affects devices that have downloaded a malicious app,” a representative for Google told CNET in an email.
The Google representative said Google Play Protect automatically protects users from known malicious apps, although by definition, newly emerging threats may not yet be recognized by automated detection systems.
A VPN, or virtual private network, is software that encrypts your internet traffic and masks your IP address. It allows you to keep your online activity private from your internet service provider or make apps and websites believe you’re in a different state or country.
This bug involves the ConnectivityManager system service in Android 16, which allows apps to send a final message to web servers telling them an online connection has completely ended. But this service currently bypasses the VPN tunnel, leaving traffic unencrypted and exposing sensitive information, including your device’s real IP address, regardless of the server location you choose.
In this case, the type of VPN an Android user is using — along with its permissions or encryption settings — is irrelevant. This vulnerability bypasses those protections entirely.
Notably, the issue persists even when you have “Always-on VPN” or “Block connections without VPN”…
