Android 16 Vulnerability Exposes Users’ Real IP Addresses Despite VPN Use
A recently uncovered vulnerability in Android 16 has raised significant privacy concerns by allowing malicious applications to bypass Virtual Private Network (VPN) protections and expose users’ real IP addresses. This flaw, termed the Tiny UDP Cannon, enables any standard Android app with basic permissions to leak network traffic outside the secure VPN tunnel. Alarmingly, this bypass occurs even when users have activated Always-On VPN and Block connections without VPN settings—features specifically designed to enforce comprehensive traffic protection.
Understanding the Vulnerability
At the heart of this issue lies a design flaw within Android’s ConnectivityManager service. Instead of transmitting network traffic directly, a malicious app can register a payload with the system process known as `system_server`. This process operates with elevated privileges and is not constrained by VPN routing rules. Consequently, once the app terminates or its socket is destroyed, `system_server` dispatches the attacker-controlled data over the device’s physical network interface, such as Wi-Fi, effectively circumventing the VPN.
This behavior is facilitated by the method `registerQuicConnectionClosePayload`, which lacks:
– Permission Checks: Allowing any app with basic permissions to exploit the method.
– Payload Validation: Enabling the transmission of arbitrary data.
– Awareness of VPN Lockdown Policies: Permitting data transmission outside the VPN tunnel, even when strict security settings are enabled.
As a result, even applications granted only auto-granted permissions, such as `INTERNET` and `ACCESS_NETWORK_STATE`, can exploit this mechanism.
Implications for User Privacy
This vulnerability fundamentally undermines Android’s VPN trust model. Attackers can:
– Reveal Users’ Real Public IP Addresses: Compromising anonymity.
– Exfiltrate Data Outside Encrypted VPN Tunnels: Leading to potential data breaches.
– Track Users Despite Privacy Protections: Facilitating surveillance and profiling.
The flaw was successfully tested on a Pixel 8 device running Android 16 with Proton VPN enabled and lockdown mode active, demonstrating its effectiveness in real-world scenarios.
Indicators of Compromise (IOCs)
To detect potential exploitation of this vulnerability, users and security professionals should monitor for the following indicators:
– Network Activity: Unauthorized UDP packets sent outside the VPN tunnel.
– Source IP: The device’s real Wi-Fi IP address (e.g., 192.168.x.x).
– Destination: Connections to attacker-controlled servers and ports (e.g., port 3131).
– Payload Pattern: Arbitrary or tagged data, such as `EXFIL{src=IP}`.
– Permissions Used: Basic permissions like `INTERNET` and `ACCESS_NETWORK_STATE`.
– System Component: The `system_server` process (UID 1000) initiating unexpected network traffic.
Response from Google
The issue was reported to Google’s Android Vulnerability Reward Program (VRP) in April 2026. However, the Android Security Team classified it as Won’t Fix (Infeasible), stating that it does not meet the criteria for inclusion in a security bulletin. Despite this, researchers argue that the flaw poses significant privacy risks, especially for users who rely on VPNs for anonymity.
Temporary Mitigation
A temporary workaround exists via an Android Debug Bridge (ADB) command that disables the vulnerable QUIC feature:
“`
adb shell device_config put tethering close_quic_connection -1
“`
After executing this command and rebooting the device, the system ceases to send the registered payloads, effectively blocking the leak. However, this is not a permanent solution and may be removed in future updates.
Broader Context and Recommendations
This vulnerability is part of a series of security issues affecting Android devices. For instance, in May 2024, a critical vulnerability was identified that allowed DNS traffic to leak during VPN server switches, potentially exposing users’ internet activity to cybercriminals. Additionally, in December 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added two critical Android Framework vulnerabilities to its Known Exploited Vulnerabilities catalog, signaling active exploitation in the wild.
Given the increasing reliance on VPNs for privacy and security, such vulnerabilities highlight the need for continuous vigilance and prompt action. Users are advised to:
– Monitor Network Activity: Regularly check for unauthorized connections or data transmissions.
– Apply Mitigations: Utilize available workarounds and stay informed about potential fixes.
– Stay Updated: Keep devices updated with the latest security patches and updates.
As VPN usage continues to grow, addressing such bypasses is crucial to maintaining user privacy and security.
