Skip to main content
  1. Home
  2. Phones
  3. News

Android 16 VPN bug turns apps installed on your phone into a leaky sink

Android 16 has a bug that lets apps bypass your VPN and leak your real IP address.

By
Add as a preferred source on Google
Android 16 logo on Google Pixel 6a standing on a table.
Tushar Mehta / Digital Trends

That VPN you are running on your Android 16 device may not be doing as much as you think. A newly discovered bug in Android 16 allows any app on your device to send traffic outside your VPN tunnel, exposing your real IP address to the internet, regardless of which VPN you use or how locked down your settings are.

The vulnerability was first reported by a Zurich-based security engineer going by the handle @cybaqkebm, and was later flagged by VPN provider Mullvad, which confirmed the bug affects all VPN apps on Android 16, not just its own.

A new VPN leak that allows any app to leak traffic outside the VPN tunnel has recently been discovered by @cybaqkebm

Read more here: https://t.co/K9bxtiGHbw

— Mullvad.net (@mullvadnet) May 12, 2026

How bad is this and what does Google have to say?

The bug involves a system service in Android 16 called ConnectivityManager. It is designed to let apps send a final message to web servers when a connection ends. The problem is that this service bypasses the VPN tunnel entirely, sending data unencrypted and leaking your real IP address in the process.

Recommended Videos

The security engineer reported the issue through Google’s Vulnerability Reward Program. However, Google‘s response was to close the report and mark it as ‘Won’t Fix,’ describing it as outside their threat model.

A Google spokesperson told CNET that the issue only affects devices that have downloaded a malicious app, and that Google Play Protect automatically shields users from known malicious apps.

The problem is that Play Protect only covers apps it already recognizes. Unknown malicious apps have previously slipped into the Play Store and racked up millions of downloads before being removed.

Is there anything you can do right now?

phone showing GrapheneOS logo
Rachit Agarwal / Digital Trends

Your options are limited, and none of them are particularly user-friendly. A technical workaround exists involving a debug command, but the researcher who found the bug warned people to only attempt it if they fully understand the implications. It may also get wiped by future Android updates.

GrapheneOS, a security-focused Android variant, has already patched the issue, but switching operating systems is not realistic for most users. There is no evidence of active exploitation yet, but with Google declining to act, the safest advice for now is to be very careful about what you install.

Manisha Priyadarshini
Manisha Priyadarshini
News Writer
Manisha Priyadarshini is a tech and entertainment writer with over nine years of editorial experience.
Topics
I tried a hidden video trick in iOS 27, and it saved me a ton of frustration
Better quality, smaller file size, and no status bar. iOS 27's video frame feature beats screenshots on every count.
Electronics, Mobile Phone, Phone

If you've ever been on vacation and chose to record video instead of taking photos only to avoid missing the fun moments, thinking you’d pause and take screenshots later, you might have ended up questioning your decision later. 

You see, the process involves multiple steps, starting from hunting for the right frame, pausing, and taking a screenshot. If it doesn’t look good, you go back to the video, pause somewhere else, and try taking another screenshot. You see where I’m going with this?

Read more
iPhone 18 Pro images are already floating on the dark web with a whole bunch of other Apple secrets
A ransomware attack on Tata Electronics reportedly exposed confidential documents tied to Apple's next flagship.
Apple iPhone 17 Pro White

Apple is famous for keeping future iPhones under lock and key. This time, however, the leak didn't come from a case maker or an overenthusiastic tipster. According to Reuters, confidential files linked to the iPhone 18 Pro have surfaced on the dark web following a cyberattack on Tata Electronics, one of Apple's most important manufacturing partners in India.

The leak goes far beyond a few blurry photos

Read more
Apple has six new iPhones lined up for 2027 with some serious upgrade muscle
The 2027 iPhone lineup looks stacked
Electronics, Phone, Mobile Phone

Apple's iPhone launch calendar may get a lot busier in 2027. A new leak claims the company has six new iPhone models lined up across the year, and if most of it is accurate, we could be looking at the biggest iPhone roadmap in years.

According to known tipster, Digital Chat Station, Apple’s early 2027 lineup could include the iPhone Air 2, iPhone 18, and iPhone 18e. The fall lineup is expected to bring next-generation Pro models and a second foldable iPhone, reportedly referred to as iPhone Ultra 2.

Read more