Skip to main content
  1. Home
  2. Phones
  3. News

Android 16 VPN bug turns apps installed on your phone into a leaky sink

Android 16 has a bug that lets apps bypass your VPN and leak your real IP address.

By
Add as a preferred source on Google
Android 16 logo on Google Pixel 6a standing on a table.
Tushar Mehta / Digital Trends

That VPN you are running on your Android 16 device may not be doing as much as you think. A newly discovered bug in Android 16 allows any app on your device to send traffic outside your VPN tunnel, exposing your real IP address to the internet, regardless of which VPN you use or how locked down your settings are.

The vulnerability was first reported by a Zurich-based security engineer going by the handle @cybaqkebm, and was later flagged by VPN provider Mullvad, which confirmed the bug affects all VPN apps on Android 16, not just its own.

A new VPN leak that allows any app to leak traffic outside the VPN tunnel has recently been discovered by @cybaqkebm

Read more here: https://t.co/K9bxtiGHbw

— Mullvad.net (@mullvadnet) May 12, 2026

How bad is this and what does Google have to say?

The bug involves a system service in Android 16 called ConnectivityManager. It is designed to let apps send a final message to web servers when a connection ends. The problem is that this service bypasses the VPN tunnel entirely, sending data unencrypted and leaking your real IP address in the process.

Recommended Videos

The security engineer reported the issue through Google’s Vulnerability Reward Program. However, Google‘s response was to close the report and mark it as ‘Won’t Fix,’ describing it as outside their threat model.

A Google spokesperson told CNET that the issue only affects devices that have downloaded a malicious app, and that Google Play Protect automatically shields users from known malicious apps.

The problem is that Play Protect only covers apps it already recognizes. Unknown malicious apps have previously slipped into the Play Store and racked up millions of downloads before being removed.

Is there anything you can do right now?

phone showing GrapheneOS logo
Rachit Agarwal / Digital Trends

Your options are limited, and none of them are particularly user-friendly. A technical workaround exists involving a debug command, but the researcher who found the bug warned people to only attempt it if they fully understand the implications. It may also get wiped by future Android updates.

GrapheneOS, a security-focused Android variant, has already patched the issue, but switching operating systems is not realistic for most users. There is no evidence of active exploitation yet, but with Google declining to act, the safest advice for now is to be very careful about what you install.

Manisha Priyadarshini
Manisha Priyadarshini
News Writer
Manisha Priyadarshini is a tech and entertainment writer with over nine years of editorial experience.
Topics
HMD, once the house of Nokia, debuts shameless iPhone 17 Pro copycat and calls it “futuristic”
A budget 5G phone with a very Apple-like back has launched in India
HMD Smartphone

Finnish smartphone brand HMD has launched a new budget phone in India, and it looks quite familiar. The phone is called the HMD Vibe 2 5G, and its back panel appears to take more than just inspiration from the iPhone 17 Pro. It has a wide camera bar stretching across much of the upper rear panel, just like Apple’s latest Pro iPhone, but with only two cameras instead of three.

A very familiar kind of futuristic

Read more
Spotify will let you use AI to make covers and remixes of your favourite songs, for an extra fee
Spotify and Universal Music are making AI-generated covers and remixes an official feature.
spotify-ai-remix-cover-songs

If you have ever wished you could hear your favourite song in a completely different style, or put your own spin on it? Spotify is about to make that happen. The streaming platform announced a new AI-powered tool that will let Premium subscribers create covers and remixes of songs from participating artists.

The tool comes out of a landmark licensing deal between Spotify and Universal Music Group, the world's largest music company, whose roster includes Taylor Swift, Billie Eilish, Sabrina Carpenter, and Post Malone. It will launch as a paid add-on for Premium subscribers, though no release date or exact pricing details have been confirmed yet.

Read more
Motorola’s new Razr lineup just kicked off a carrier freebie war in the US
T-Mobile is giving away the Razr Fold, while Verizon is tossing in Moto freebies
Motorola Razr Fold hinge mechanism in proper view

Motorola's latest smartphones are getting some sweet carrier deals. From the latest foldables to the budget models, the company is starting promotions on two major US carriers, although the approach is slightly different. T-Mobile is leaning hard into the first-ever Motorola Razr Fold, while Verizon is making the regular Motorola Razr 2026 and Moto G 2026 easier to grab for customers who want something cheaper.

T-Mobile gets the flashiest Razr deal

Read more