GrapheneOS patches an Android VPN bypass that Google decided to leave alone

Date:
Thu, 07 May 2026 17:15:50 +0000

Description:
A researcher disclosed an Android 16 VPN bypass that leaks your real IP. Google declined to patch it, but GrapheneOS shipped a fix within days.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter An Android 16 flaw may let ordinary apps leak traffic outside an active VPN Google's Android Security Team declined to patch the bug GrapheneOS has shipped an update that disables the underlying feature GrapheneOS, the privacy-focused alternative Android distribution, has just patched a newly discovered Android VPN flaw that
Google decided to leave alone.

A security researcher discolsed the bug last week, showing that even the best VPN apps may be undermined by the operating system underneath it in some extreme circumstances. The flaw, nicknamed the "Tiny UDP Cannon," affects Android 16 and may allow a regular app to leak data outside an active VPN tunnel. The leak works even when users have enabled Android's strictest privacy settings, including "Always-On VPN" and "Block connections without VPN." In those cases, users reasonably expect that no traffic can leave the device unless it goes through the encrypted tunnel, but this bug breaks that assumption. You may like Problems with your Android VPN? Proton VPN warns
it's Google's fault Security researchers found 'critical' flaw in IPVanish
Mac VPN app here's all you need to know 'We want to help' Mullvad VPN
offers server support to privacy-first GrapheneOS

That said, attackers need a malicious app already installed on your phone to take advantage of the vulnerability.

After the disclosure, Google's Android Security Team classified the issue as "Won't Fix (Infeasible)" and decided it would not appear in a security bulletin.

GrapheneOS, however, took a different view and shipped a patch. How the "Tiny UDP Cannon" leaks your real IP A virtual private network (VPN) is supposed to act like a sealed pipe: every bit of data leaving your phone goes through it, hiding your real IP address from the outside world. Android even offers a strict "lockdown" setting that promises nothing can sneak around that pipe. This bug breaks that promise.

In its technical analysis , the researcher who goes by "lowlevel/Yusuf" explains that the flaw lives in a small Android 16 feature meant to politely close certain network connections.

When an app shuts down a connection, it can hand Android a short goodbye message to send on its behalf. The problem is that Android does not check
what is in the message, and it does not check whether the app is supposed to be locked behind the VPN. It simply sends whatever the app gives it out over the regular Wi-Fi or mobile connection.

That gap, according to the researcher, is enough for a malicious app to leak your real IP address straight past the VPN. And the bar for abuse is
unusually low. The app does not need any suspicious-looking permissions; it only needs the basic internet access that nearly every app on your phone already has. What to read next Investigation: over 75% of Android VPNs fail basic transparency tests This hidden SIM flaw lets spies track your location, and using a VPN can't help Major Russian Android apps know who's using a VPN, digital rights group warns

The good news is that this is not something a random website or public Wi-Fi network can do to you. An attacker would still need to get a specifically crafted app onto your device first. The bad news, especially for journalists, activists, and anyone relying on Android's lockdown mode as a hard guarantee, is that Google has decided not to fix it. GrapheneOS ships a fix, with a
small caveat GrapheneOS responded by disabling the faulty feature entirely in release 2026050400 .

That removes the attack surface completely, at the cost of losing the small networking efficiency the feature was meant to provide. kudos to @GrapheneOS for shipping a fix in less than a weekhttps://t.co/lF7pNCETQ4 https://t.co/otKgCBSKl3 May 5, 2026 For users on stock Android, the researcher's write-up notes that the feature can be turned off manually with an ADB command , but this is not a permanent fix. The setting can be reverted by a factory reset or future system updates, and should only be considered a current-release mitigation.

If you are running stock Android 16 and rely on a VPN for serious privacy,
the practical options today are limited. You can apply the ADB workaround above, switch to a device running GrapheneOS, or accept that the lockdown setting is slightly less airtight than advertised until Google changes its mind.

For most users, the day-to-day risk is modest. The attack needs a malicious app already installed on your phone, so the usual habits still apply: stick
to reputable apps, review what permissions you grant, and keep your device updated. A reputable VPN remains a meaningful layer of protection for the
vast majority of threats, even if this particular flaw shows that the layer below it is not always cooperating. Today's best Android VPN deals +3 months free Surfshark 24 Months 1.49 /mth View NordVPN 2 Year 2.59 /mth View +4 MONTHS FREE ExpressVPN 24 month 1.99 /mth View Proton VPN 24 Month 2.39 /mth View PrivadoVPN - 24 Month Plan 1.11 /mth View We check over 250 million products every day for the best prices Follow TechRadar on Google News and
add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!



======================================================================
Link to news story: https://www.techradar.com/vpn/vpn-privacy-security/grapheneos-patches-an-andro id-vpn-bypass-that-google-decided-to-leave-alone


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)