A newly disclosed vulnerability affecting Android 16 allows malicious apps to leak a user’s real IP address outside the VPN tunnel, including when “Always-On VPN” and “Block connections without VPN” are enabled.

The issue impacts Android’s VPN enforcement model itself and is not limited to any single VPN provider.

Security researchers demonstrated that a normal Android application with only basic permissions can bypass VPN routing protections and transmit traffic directly over the device’s physical network connection.

Important: This issue can expose a user's real IP address even when Android is configured to block all traffic outside the VPN tunnel.

What Was Discovered

The vulnerability was publicly disclosed in a technical write-up titled:

“The Tiny UDP Cannon: An Android VPN Bypass”

The researcher showed that Android 16 introduced a new QUIC graceful shutdown feature that can be abused by unprivileged applications.

Specifically, the issue involves the hidden Android system method: 

registerQuicConnectionClosePayload()

The feature was designed to let Android gracefully close QUIC connections by sending a final UDP payload after an app’s socket is terminated.

However, researchers found that the implementation fails to properly enforce VPN routing restrictions.

As a result, a malicious application can trick Android’s system_server process into sending arbitrary UDP packets directly through the device’s physical Wi-Fi interface.

Since the traffic is emitted by the privileged system process instead of the app itself, the VPN tunnel is bypassed entirely.

Why This Is Serious

Android’s “Always-On VPN” and “Block connections without VPN” settings are widely understood as hard guarantees that no traffic can leave the device outside the VPN tunnel.

The new research demonstrates that those guarantees do not fully hold under this attack scenario.

Even a regular app with only the following automatically granted permissions can trigger the leak:

No root access, accessibility permissions, VPN permissions, or special Android privileges are required.

How The Bypass Works

Android normally prevents VPN-locked apps from directly binding sockets to physical networks like Wi-Fi.

However, researchers discovered a subtle loophole involving the Linux kernel’s local bind() behavior.

By binding a UDP socket directly to the device’s Wi-Fi IP address, the app can create a socket associated with the physical network without immediately transmitting traffic.

The app then registers a payload with Android’s ConnectivityManager service.

When the socket is destroyed, Android’s privileged system_server later sends the payload on behalf of the app.

Because system_server operates with elevated networking permissions, the packet bypasses the VPN tunnel entirely.

In short: The malicious app never directly sends the packet itself. Android’s own system process sends it outside the VPN tunnel.

What Information Can Leak?

The most immediate privacy risk is exposure of the user’s real public IP address.

That information may be used for:

The proof-of-concept demonstrated arbitrary attacker-controlled UDP payloads being transmitted outside the VPN tunnel.

Google’s Response

According to the disclosure timeline, the vulnerability was reported to the Android Security Team in April 2026.

The report was reportedly closed as:

Won't Fix (Infeasible)

The issue was also classified as:

NSBC (Not Security Bulletin Class)

The researcher appealed the decision, arguing that Android users rely on VPN lockdown mode as a strong privacy guarantee.

Despite the appeal, the original decision reportedly remained unchanged.

GrapheneOS Patched The Issue

In contrast, the security-focused Android operating system GrapheneOS quickly implemented a patch addressing the vulnerability.

The patch modifies the Connectivity module to prevent the QUIC payload mechanism from bypassing VPN enforcement rules.

The public patch can be viewed here:

Temporary Mitigation

Researchers discovered that the vulnerable QUIC graceful shutdown feature can currently be disabled through Android Debug Bridge (ADB).

The following commands disable the feature:

adb shell device_config put tethering close_quic_connection -1
adb reboot

This mitigation disables the QUIC close payload mechanism globally, preventing the VPN bypass from triggering.

Warning: This mitigation requires enabling USB debugging and should only be used by users who understand the implications.

Researchers note that the mitigation may be reverted by future Android system updates.

What Is ADB?

Android Debug Bridge (ADB) is an official Android command-line tool used for debugging and advanced device management.

More information is available through Google’s documentation:

Who Is Most Affected?

The vulnerability is particularly concerning for users who rely on VPNs for strong privacy guarantees, including:

Since the attack only requires a normal installed app, malicious software distributed through third-party app stores or deceptive apps could theoretically abuse the flaw.

Important Context

This vulnerability does not allow remote device compromise by itself.

A malicious application must already be installed on the device for the attack to occur.

However, the issue weakens one of Android’s core VPN privacy guarantees and demonstrates how privileged system components can unintentionally bypass user-imposed networking restrictions.

The Bigger Picture

The disclosure highlights a broader challenge in modern operating system security:

Features added for performance or protocol reliability can sometimes introduce unexpected security side effects.

In this case, a feature intended to gracefully close QUIC connections created a pathway capable of bypassing Android’s VPN lockdown protections.

It also raises questions about how mobile operating systems define privacy threat models, especially when users explicitly enable strict VPN enforcement settings expecting complete traffic isolation.

Sources

This article was written by DigitalEscapeTools based on publicly disclosed security research and technical analysis.