Android 16 VPN bug turns apps installed on your phone into a leaky sink

Android 16 has a bug that lets apps bypass your VPN and leak your real IP address.

By Manisha Priyadarshini Published May 21, 2026

Tushar Mehta / Digital Trends

That VPN you are running on your Android 16 device may not be doing as much as you think. A newly discovered bug in Android 16 allows any app on your device to send traffic outside your VPN tunnel, exposing your real IP address to the internet, regardless of which VPN you use or how locked down your settings are.

The vulnerability was first reported by a Zurich-based security engineer going by the handle @cybaqkebm, and was later flagged by VPN provider Mullvad, which confirmed the bug affects all VPN apps on Android 16, not just its own.

A new VPN leak that allows any app to leak traffic outside the VPN tunnel has recently been discovered by @cybaqkebm

Read more here: https://t.co/K9bxtiGHbw
— Mullvad.net (@mullvadnet) May 12, 2026

How bad is this and what does Google have to say?

The bug involves a system service in Android 16 called ConnectivityManager. It is designed to let apps send a final message to web servers when a connection ends. The problem is that this service bypasses the VPN tunnel entirely, sending data unencrypted and leaking your real IP address in the process.

Recommended Videos

The security engineer reported the issue through Google’s Vulnerability Reward Program. However, Google‘s response was to close the report and mark it as ‘Won’t Fix,’ describing it as outside their threat model.

A Google spokesperson told CNET that the issue only affects devices that have downloaded a malicious app, and that Google Play Protect automatically shields users from known malicious apps.

The problem is that Play Protect only covers apps it already recognizes. Unknown malicious apps have previously slipped into the Play Store and racked up millions of downloads before being removed.

Is there anything you can do right now?

Your options are limited, and none of them are particularly user-friendly. A technical workaround exists involving a debug command, but the researcher who found the bug warned people to only attempt it if they fully understand the implications. It may also get wiped by future Android updates.

GrapheneOS, a security-focused Android variant, has already patched the issue, but switching operating systems is not realistic for most users. There is no evidence of active exploitation yet, but with Google declining to act, the safest advice for now is to be very careful about what you install.

Manisha Priyadarshini

News Writer

Manisha Priyadarshini is a tech and entertainment writer with over nine years of editorial experience.

Topics

Phones

Cash App now doubles as a phone carrier with a $40 unlimited plan

Your money app is coming for your phone plan next

Cash App Mobile Announcement

Cash App already handles a lot of your finances. From money transfers, debit cards, to investments and even tax filing, the platform does nearly everything. Now, it wants to take over another regular part of your life. The company has announced Cash App Mobile, a new unlimited 5G phone plan priced at $40 per month, with taxes and fees included. It runs on AT&T’s network and is powered by Gigs, a company that helps brands launch embedded mobile services. The plan is launching as a pilot for select Cash App users, with wider availability planned in the coming months.

The app you use to split dinner now wants to run your phone

Phones

Humbling teardown confirms Trump Phone is just a painted-over HTC phone

Electronics, Phone, Mobile Phone

When the Trump Mobile T1 was announced, it arrived wrapped in the kind of marketing language you’d expect from a product tied to Donald Trump: bold claims, patriotic branding, and plenty of references to American values. What wasn’t immediately clear was what made the phone itself special.

Now, thanks to a detailed teardown and CT scan analysis by iFixit, we appear to have an answer. And it’s not exactly the revelation Trump Mobile was probably hoping for. After peeling back the gold-colored exterior, investigators found what looks remarkably like another smartphone already on the market: HTC’s U24 Pro. That’s awkward for a device marketed as something distinct.

Phones

Saily just turned the eSIM into a $1 burner phone number

NordVPN’s eSIM app could save your real phone number from app spam

Saily eSIM now offers $1 Burner Number

If you're like me and have relied on travel eSIMs, you know the drill. You get access to mobile data abroad without paying the premium your carrier charges for the roaming bill. But more often than not, you're stuck with just data since you don't actually have a proper phone number to use.

But Saily is trying to make traveler eSIMs a lot more useful by actually including a phone number. NordVPN's eSIM app is now letting users get a dedicated US +1 phone number directly through the Saily app. The number subscription starts at $0.99 per month, with separate call and text plans also starting from $0.99. So, for less than a cup of coffee, you get a second number that can be handy for food delivery apps, hotel bookings, ticketing services, online marketplaces, 2FA codes, and all those random forms that ask for your phone number.