CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 16, 2026

Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address

Cybersecurity News Archived May 16, 2026 ✓ Full text saved

A newly disclosed flaw in Android 16 is raising serious privacy concerns after researchers revealed that malicious apps can bypass VPN protections and expose a user’s real IP address even when strict security settings are enabled. The vulnerability, dubbed the “Tiny UDP Cannon,” allows any regular Android app with basic permissions to leak network traffic […] The post Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeAndroid Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address By Abinaya May 16, 2026 A newly disclosed flaw in Android 16 is raising serious privacy concerns after researchers revealed that malicious apps can bypass VPN protections and expose a user’s real IP address even when strict security settings are enabled. The vulnerability, dubbed the “Tiny UDP Cannon,” allows any regular Android app with basic permissions to leak network traffic outside the VPN tunnel. This bypass works even when users enable “Always-On VPN” and “Block connections without VPN,” two features designed to enforce complete traffic protection. Android 16 VPN Bypass At the core of the issue is a design flaw in Android’s ConnectivityManager service. Instead of sending network traffic directly, a malicious app can register a payload with the system process (system_server), which operates with elevated privileges and is not bound by VPN routing rules. Once the app exits or its socket is destroyed, system_server sends the attacker-controlled data over the device’s physical network interface, such as Wi-Fi, completely bypassing the VPN. This behavior stems from the method: registerQuicConnectionClosePayload The method lacks: Permission checks. Payload validation. Awareness of VPN lockdown policies. As a result, even apps with only auto-granted permissions, such as INTERNET and ACCESS_NETWORK_STATE, can exploit this mechanism. The vulnerability effectively breaks Android’s VPN trust model. Attackers can: Reveal a user’s real public IP address. Exfiltrate data outside encrypted VPN tunnels. Track users despite privacy protections. The issue was successfully tested on a Pixel 8 running Android 16 with Proton VPN enabled and lockdown mode active. Indicators of Compromise (IOCs) Below are key indicators associated with exploitation: Network Activity: Unauthorized UDP packets sent outside the VPN tunnel. Source IP: Device’s real Wi-Fi IP (e.g., 192.168.x.x). Destination: Attacker-controlled server and port (e.g., port 3131). Payload Pattern: Arbitrary or tagged data such as EXFIL{src=IP}. Permissions Used: INTERNET, ACCESS_NETWORK_STATE. System Component: system_server (UID 1000) initiating traffic. The issue was reported to Google’s Android Vulnerability Reward Program (VRP) in April 2026. However, the Android Security Team classified it as “Won’t Fix (Infeasible)”. It stated that it does not meet the criteria for inclusion in a security bulletin. Despite this, researchers argue that the flaw poses significant privacy risks, especially for users who rely on VPNs for anonymity. A temporary mitigation exists via an ADB command that turns off the vulnerable QUIC feature: adb shell device_config put tethering close_quic_connection -1 After rebooting, the system stops sending the registered payloads, effectively blocking the leak. However, this is not a permanent fix and may be removed in future updates. Researchers at lowlevel.fun warned that system-level exemptions can unintentionally bypass key mobile security protections. As VPN usage continues to grow, such bypasses could become a critical attack vector for surveillance and data leakage. Users and security teams are advised to monitor unusual network activity and apply mitigations where possible until an official fix is introduced. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager New cPanel and WHM Flaws Enable Code Execution, DoS Attacks Hackers Abuse Legitimate HWMonitor Binary to Load Malicious DLL Payload Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks Latest News Cyber Security News OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack Cyber Security News Shai-Hulud Worm Steals npm, GitHub, AWS, and Kubernetes Secrets From Developers Cyber Security News Hackers Abuse OAuth Device Authorization Flow to Steal Microsoft 365 Tokens Cyber Security News Microsoft Edge, Windows 11 and LiteLLM Hacked in Pwn2Own Berlin 2026 Cyber Security News Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 16, 2026
    Archived
    May 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗