GrapheneOS patches an Android VPN bypass that Google decided to leave alone

News
By published

A small flaw in Android 16's networking stack let ordinary apps leak data outside the VPN tunnel, exposing real IP addresses

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • An Android 16 flaw may let ordinary apps leak traffic outside an active VPN
  • Google's Android Security Team declined to patch the bug
  • GrapheneOS has shipped an update that disables the underlying feature

GrapheneOS, the privacy-focused alternative Android distribution, has just patched a newly discovered Android VPN flaw that Google decided to leave alone.

A security researcher discolsed the bug last week, showing that even the best VPN apps may be undermined by the operating system underneath it in some extreme circumstances. The flaw, nicknamed the "Tiny UDP Cannon," affects Android 16 and may allow a regular app to leak data outside an active VPN tunnel.

The leak works even when users have enabled Android's strictest privacy settings, including "Always-On VPN" and "Block connections without VPN." In those cases, users reasonably expect that no traffic can leave the device unless it goes through the encrypted tunnel, but this bug breaks that assumption.

That said, attackers need a malicious app already installed on your phone to take advantage of the vulnerability.

After the disclosure, Google's Android Security Team classified the issue as "Won't Fix (Infeasible)" and decided it would not appear in a security bulletin.

GrapheneOS, however, took a different view and shipped a patch.

How the "Tiny UDP Cannon" leaks your real IP

A virtual private network (VPN) is supposed to act like a sealed pipe: every bit of data leaving your phone goes through it, hiding your real IP address from the outside world. Android even offers a strict "lockdown" setting that promises nothing can sneak around that pipe. This bug breaks that promise.

In its technical analysis, the researcher who goes by "lowlevel/Yusuf" explains that the flaw lives in a small Android 16 feature meant to politely close certain network connections.

When an app shuts down a connection, it can hand Android a short goodbye message to send on its behalf. The problem is that Android does not check what is in the message, and it does not check whether the app is supposed to be locked behind the VPN. It simply sends whatever the app gives it out over the regular Wi-Fi or mobile connection.

That gap, according to the researcher, is enough for a malicious app to leak your real IP address straight past the VPN. And the bar for abuse is unusually low. The app does not need any suspicious-looking permissions; it only needs the basic internet access that nearly every app on your phone already has.

The good news is that this is not something a random website or public Wi-Fi network can do to you. An attacker would still need to get a specifically crafted app onto your device first. The bad news, especially for journalists, activists, and anyone relying on Android's lockdown mode as a hard guarantee, is that Google has decided not to fix it.

GrapheneOS ships a fix, with a small caveat

GrapheneOS responded by disabling the faulty feature entirely in release 2026050400.

That removes the attack surface completely, at the cost of losing the small networking efficiency the feature was meant to provide.

For users on stock Android, the researcher's write-up notes that the feature can be turned off manually with an ADB command, but this is not a permanent fix. The setting can be reverted by a factory reset or future system updates, and should only be considered a current-release mitigation.

If you are running stock Android 16 and rely on a VPN for serious privacy, the practical options today are limited. You can apply the ADB workaround above, switch to a device running GrapheneOS, or accept that the lockdown setting is slightly less airtight than advertised until Google changes its mind.

For most users, the day-to-day risk is modest. The attack needs a malicious app already installed on your phone, so the usual habits still apply: stick to reputable apps, review what permissions you grant, and keep your device updated. A reputable VPN remains a meaningful layer of protection for the vast majority of threats, even if this particular flaw shows that the layer below it is not always cooperating.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

TOPICS
Monica J. White
Monica J. White
Contributing Writer

Monica is a tech journalist with over a decade of experience. She writes about the latest developments in computing, which means anything from computer chips made out of paper to cutting-edge desktop processors.

GPUs are her main area of interest, and nothing thrills her quite like that time every couple of years when new graphics cards hit the market.

She built her first PC nearly 20 years ago, and dozens of builds later, she’s always planning out her next build (or helping her friends with theirs). During her career, Monica has written for many tech-centric outlets, including Digital Trends, SlashGear, WePC, and Tom’s Hardware.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.