Your IP address might be leaking. Right now.
Android 16 has a glitch, and it is not a small one. A Zurich-based security engineer posted about it on lowlevel.fun, detailing a vulnerability where apps can completely ignore your VPN settings. The data goes straight to the web servers, unmasked. No encryption. No hiding.
The researcher reported this to Google through their Vulnerability Reward Program. You know the drill, find a bug, get paid. Google’s security team looked at the logs and closed the ticket.
Their response? It is “infeasible” to fix.
They said it was not a high enough priority. The researcher has not responded to requests for comment, so we have to take their word for the rest.
Google tried to calm the nerves in an email to CNET.
“This issue only affects devices that have installed a malicious app.”
Fair point. If you have no bad apps, you have no leak. But that relies on Google Play Protect catching everything instantly. By definition, it cannot. New threats exist before they are known. There is a window of time. A dangerous one.
Let us step back for a second. What even is a VPN?
It is software that scrambles your traffic and hides your real IP. You want privacy? You want to look like you are in a different country? This is how.
This bug hits the ConnectivityManager system service in Android 16. That service tells web servers when a connection has fully ended. Simple, right? Wrong. That final handshake bypasses the VPN tunnel entirely. Your real IP address gets stamped on that packet. It does not matter where the server is located. It shows who you really are.
Type of VPN? Irrelevant.
Encryption settings? Bypassed.
Permissions? Useless here.
This is not about weak config. It is a structural blind spot.
Here is the kicker. You can have “Always-on VPN” enabled. You can turn on “Block connections without VPN.” These features promise zero unsecured activity. They are the heavy door locks on your digital front door. This bug finds a way out the window anyway.
That is terrifying for people who actually need privacy. Journalists. Activists. People in restrictive regimes. The settings lie to them. The connection is active, but the protection is hollow.
Is there evidence that anyone has weaponized this yet?
No. Nothing in the wild. Yet.
But leaving it open does not make it go away. Android 16 users are sitting ducks unless they move.
GrapheneOS patched it.
This proves the bug is fixable. If Google said it was impossible, GrapheneOS proved them wrong with a code update. If your privacy matters to you more than having a vanilla stock ROM, Mullvad suggests switching over.
There is one other route. It is messy. It requires tech comfort.
The security engineer found a debug command that disables the faulty behavior. It works when USB debugging is enabled. You can download the Android Debug Bridge and run it yourself.
But do not be foolish. Only touch these settings if you know exactly what shutting down features in debug mode does.
Otherwise, you are waiting for Google to change their mind on “priority.” Or waiting for someone to exploit the leak.
