A recently uncovered vulnerability in Android 16 allows malicious applications to bypass VPN protections, exposing users’ real IP addresses even when stringent security settings are enabled. This flaw, known as the “Tiny UDP Cannon,” enables any standard Android app with basic permissions to leak network traffic outside the VPN tunnel.
Even with features like “Always-On VPN” and “Block connections without VPN” activated, this bypass remains effective. The root cause lies in a design flaw within Android’s ConnectivityManager service. Malicious apps can register a payload with the system process (system_server), which operates with elevated privileges and isn’t bound by VPN routing rules. Consequently, when the app exits or its socket is destroyed, system_server transmits the attacker-controlled data over the device’s physical network interface, such as Wi-Fi, completely circumventing the VPN.
This vulnerability effectively undermines Android’s VPN trust model, allowing attackers to reveal a user’s real public IP address, exfiltrate data outside encrypted VPN tunnels, and track users despite privacy protections. The issue was successfully tested on a Pixel 8 running Android 16 with Proton VPN enabled and lockdown mode active.
Indicators of compromise include unauthorized UDP packets sent outside the VPN tunnel, the device’s real Wi-Fi IP as the source, and payload patterns like EXFIL{src=IP}. The issue was reported to Google’s Android Vulnerability Reward Program in April 2026. However, the Android Security Team classified it as “Won’t Fix (Infeasible),” stating it doesn’t meet the criteria for inclusion in a security bulletin.
Despite this, researchers argue that the flaw poses significant privacy risks, especially for users who rely on VPNs for anonymity. A temporary mitigation exists via an ADB command that disables the vulnerable QUIC feature: adb shell device_config put tethering close_quic_connection -1. After rebooting, the system stops sending the registered payloads, effectively blocking the leak. However, this is not a permanent fix and may be removed in future updates.
As VPN usage continues to grow, such bypasses could become a critical attack vector for surveillance and data leakage. Users and security teams are advised to monitor unusual network activity and apply mitigations where possible until an official fix is introduced.
Given the increasing reliance on VPNs for privacy and security, this vulnerability highlights the need for robust and comprehensive security measures within operating systems. Users should stay informed about potential risks and apply available mitigations to protect their data.
Source: Cyber Security News
