Android 16 Bug Allows Apps to Ignore VPNs and Leak IP Addresses

Virtual private networks have become a staple for mobile privacy, encrypting traffic and masking IP addresses to protect users from ISP snooping and geo‑restriction enforcement. Android’s dominance makes its VPN implementation a critical security layer, yet the newly identified bug in the ConnectivityManager service subverts that layer by sending a termination signal that skips the VPN tunnel entirely. This technical oversight means that any app capable of invoking the final‑message API can leak a device’s true IP, regardless of the user’s VPN configuration or chosen server location.

The discovery, posted by a Zurich‑based security researcher and relayed through Google’s Vulnerability Reward Program, was met with a surprising response: Google classified the issue as “infeasible” to remediate and deprioritized it. While Google Play Protect shields users from known malicious apps, newly crafted threats could exploit the bypass before detection. In contrast, the privacy‑focused GrapheneOS quickly patched the vulnerability, demonstrating how open‑source Android forks can act faster on security gaps. For users unwilling or unable to switch OSes, the researcher disclosed an ADB command that disables the offending service, though the fix is fragile and may be overwritten by subsequent OS updates.

For enterprises and privacy‑conscious consumers, the episode serves as a cautionary tale about relying solely on VPNs for data protection on mainstream Android devices. Organizations should consider supplemental network‑level controls, such as enforced device‑management policies that restrict app installations or mandate use of hardened OS builds like GrapheneOS. Meanwhile, the broader Android ecosystem may need to reassess its vulnerability triage criteria, ensuring that privacy‑critical bugs receive timely remediation to maintain user trust.