Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address
Cybersecurity NewsArchived May 16, 2026✓ Full text saved
A newly disclosed flaw in Android 16 is raising serious privacy concerns after researchers revealed that malicious apps can bypass VPN protections and expose a user’s real IP address even when strict security settings are enabled. The vulnerability, dubbed the “Tiny UDP Cannon,” allows any regular Android app with basic permissions to leak network traffic […] The post Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeAndroid
Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address
By Abinaya
May 16, 2026
A newly disclosed flaw in Android 16 is raising serious privacy concerns after researchers revealed that malicious apps can bypass VPN protections and expose a user’s real IP address even when strict security settings are enabled.
The vulnerability, dubbed the “Tiny UDP Cannon,” allows any regular Android app with basic permissions to leak network traffic outside the VPN tunnel.
This bypass works even when users enable “Always-On VPN” and “Block connections without VPN,” two features designed to enforce complete traffic protection.
Android 16 VPN Bypass
At the core of the issue is a design flaw in Android’s ConnectivityManager service.
Instead of sending network traffic directly, a malicious app can register a payload with the system process (system_server), which operates with elevated privileges and is not bound by VPN routing rules.
Once the app exits or its socket is destroyed, system_server sends the attacker-controlled data over the device’s physical network interface, such as Wi-Fi, completely bypassing the VPN.
This behavior stems from the method:
registerQuicConnectionClosePayload
The method lacks:
Permission checks.
Payload validation.
Awareness of VPN lockdown policies.
As a result, even apps with only auto-granted permissions, such as INTERNET and ACCESS_NETWORK_STATE, can exploit this mechanism.
The vulnerability effectively breaks Android’s VPN trust model. Attackers can:
Reveal a user’s real public IP address.
Exfiltrate data outside encrypted VPN tunnels.
Track users despite privacy protections.
The issue was successfully tested on a Pixel 8 running Android 16 with Proton VPN enabled and lockdown mode active.
Indicators of Compromise (IOCs)
Below are key indicators associated with exploitation:
Network Activity: Unauthorized UDP packets sent outside the VPN tunnel.
Source IP: Device’s real Wi-Fi IP (e.g., 192.168.x.x).
Destination: Attacker-controlled server and port (e.g., port 3131).
Payload Pattern: Arbitrary or tagged data such as EXFIL{src=IP}.
Permissions Used: INTERNET, ACCESS_NETWORK_STATE.
System Component: system_server (UID 1000) initiating traffic.
The issue was reported to Google’s Android Vulnerability Reward Program (VRP) in April 2026.
However, the Android Security Team classified it as “Won’t Fix (Infeasible)”. It stated that it does not meet the criteria for inclusion in a security bulletin.
Despite this, researchers argue that the flaw poses significant privacy risks, especially for users who rely on VPNs for anonymity.
A temporary mitigation exists via an ADB command that turns off the vulnerable QUIC feature:
adb shell device_config put tethering close_quic_connection -1
After rebooting, the system stops sending the registered payloads, effectively blocking the leak.
However, this is not a permanent fix and may be removed in future updates.
Researchers at lowlevel.fun warned that system-level exemptions can unintentionally bypass key mobile security protections.
As VPN usage continues to grow, such bypasses could become a critical attack vector for surveillance and data leakage.
Users and security teams are advised to monitor unusual network activity and apply mitigations where possible until an official fix is introduced.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager
New cPanel and WHM Flaws Enable Code Execution, DoS Attacks
Hackers Abuse Legitimate HWMonitor Binary to Load Malicious DLL Payload
Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets
Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks
Latest News
Cyber Security News
OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack
Cyber Security News
Shai-Hulud Worm Steals npm, GitHub, AWS, and Kubernetes Secrets From Developers
Cyber Security News
Hackers Abuse OAuth Device Authorization Flow to Steal Microsoft 365 Tokens
Cyber Security News
Microsoft Edge, Windows 11 and LiteLLM Hacked in Pwn2Own Berlin 2026
Cyber Security News
Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems