TECHNOLOGY SECURITY

Android 16 bug lets apps bypass VPNs and leak your IP address

A serious Android 16 flaw lets apps ignore VPNs and expose your real IP, even with always-on protection. Google’s working on a fix.

A new bug in Android 16 lets apps bypass VPNs and leak users’ real IP addresses, even when the always-on VPN setting is active. Security researchers found the flaw while testing updated Pixel phones.

By GlobalBR News · via CNET

May 15, 2026 at 4:50 PM UTC

6 min read

Text size:

TL;DR

Android 16 has a bug that lets apps see your real IP even when you’re using a VPN.

Android 16 bug lets apps bypass VPNs and leak your IP address — A Google Pixel phone displaying a VPN app interface, overlaid with a warning symbol about IP address leaks.

Key Points

Bug in Android 16 lets apps bypass VPN protection
Affects always-on VPN settings on Pixel phones
Users’ real IP addresses leak despite VPN use

Security researchers recently uncovered a serious flaw in Android 16 that lets apps ignore VPN protections and expose a user’s real IP address. The bug was spotted during routine testing on updated Pixel phones, where apps could bypass even the always-on VPN setting meant to block data leaks. The discovery raises concerns because VPNs are supposed to hide a device’s IP address from apps and websites, especially on public Wi-Fi or untrusted networks.

What’s happening with Android 16’s VPN bug

The vulnerability works by bypassing Android’s VPN interface, which is supposed to route all data through the VPN tunnel. Instead, apps can send data outside this tunnel, revealing the user’s actual IP address. Security firm Mozilla confirmed the issue affects Android 16 builds released in the past two months, including those on Google’s Pixel 8 and Pixel 8 Pro. The bug doesn’t require special permissions—just a standard app installation, making it easy for malicious developers to exploit.

The flaw bypasses a core security feature: Android’s VPN API, which apps must use to route traffic through a VPN. Normally, if an app tries to access the internet without going through the VPN, Android blocks the connection. But this bug lets apps leak data directly, defeating the purpose of using a VPN. Researchers say it’s the first time they’ve seen a mainstream Android version break this fundamental protection.

Who’s at risk and what’s been done so far

Anyone running Android 16 on a Pixel phone is likely affected, but the bug could spread to other Android devices as the update rolls out. The researchers who found it, from Kryptowire, reported it to Google last week. Google acknowledged the issue and says it’s rolling out a patch in the next Android 16 beta update. Until then, users relying on VPNs for privacy—especially on public networks—are exposed.

VPNs are widely used to hide browsing activity from internet service providers or hackers on shared Wi-Fi. If apps can bypass these protections, users might as well not use a VPN at all. The bug is especially risky for people in countries with heavy internet censorship or surveillance, where VPNs help evade tracking.

How to check if you’re affected and what to do

Google hasn’t released a public tool to test for the bug, but users can try a simple trick: open a VPN app and check if your IP address changes on sites like ipleak.net. If your real IP still shows up, your device is likely vulnerable. The safest temporary fix is to avoid using untrusted apps or public Wi-Fi until the patch arrives. Some VPN providers, like ProtonVPN and NordVPN, have already added warnings to their Android apps about the issue.

Waiting for Google’s official fix is the best option for most users, but tech-savvy people can flash an older Android build or switch to a non-Pixel phone temporarily. The bug doesn’t affect iPhones or older Android versions like Android 15, so users on those systems are safe for now. Google’s rapid response suggests this isn’t a targeted attack yet, but that could change as more people learn about the flaw.

What’s next for Android 16 and VPN security

Google’s security team is prioritizing the fix, but rolling it out to all Pixel users could take weeks. The company hasn’t said if the bug exists in earlier Android 16 test builds or if it affects non-Pixel phones running the same code. Meanwhile, VPN providers are urging users to update their apps and avoid suspicious downloads until the patch arrives.

This isn’t just a Pixel problem—it’s a reminder that even core security features can break in major updates. Android 16’s VPN flaw shows how small coding mistakes can create big risks, especially when they undermine protections people trust. For now, users should treat this as a serious privacy alert and watch for Google’s next update.

What You Need to Know

Source: CNET
Published: May 15, 2026 at 20:50 UTC
Category: Technology
Topics: #cnet · #tech · #reviews · #security · #vulnerability · #android

Read the Full Story

This is a curated summary. For the complete article, original data, quotes and full analysis:

Read the full story on CNET →

All reporting rights belong to the respective author(s) at CNET. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.

Curated by GlobalBR News · May 15, 2026

🇧🇷 Resumo em Português

Um novo e preocupante bug no Android 16 pode transformar a privacidade dos usuários em um passivo: um defeito no sistema permite que aplicativos ignorem configurações de VPN, expondo endereços IP reais mesmo quando a proteção está ativada. A descoberta, feita por pesquisadores de segurança, coloca milhões de brasileiros que dependem de redes privadas virtuais em alerta, sobretudo aqueles que acessam serviços sensíveis, como bancos ou governamentais, em ambientes públicos ou com redes instáveis.

O problema afeta a camada de compartilhamento de dados do Android 16, conhecida como Android’s SharedMemory ou ashmem, que, quando explorada por aplicativos maliciosos, pode contornar o recurso de VPN sempre ativa. No Brasil, onde o uso de VPNs cresceu 40% nos últimos dois anos — impulsionado por trabalhadores remotos, estudantes e cidadãos preocupados com a segurança digital — a notícia chega em um momento crítico. Especialistas alertam que o bug pode ser explorado para rastrear localizações, interceptar comunicações ou até mesmo direcionar ataques cibernéticos com base em dados reais de IP, colocando em risco desde dados corporativos até informações pessoais de milhões de usuários.

Enquanto a Google trabalha em um patch para corrigir a falha, a recomendação imediata é que os usuários evitem baixar aplicativos de fontes não oficiais e mantenham seus dispositivos atualizados. A expectativa é que o reparo seja lançado em breve, mas o incidente reacende o debate sobre a segurança das plataformas móveis e a responsabilidade das gigantes de tecnologia em proteger dados sensíveis.

🇪🇸 Resumen en Español

Google ha confirmado un grave fallo en Android 16 que permite a aplicaciones burlar el cifrado de las VPN, exponiendo la dirección IP real de los usuarios incluso cuando la protección está activada. El error, descubierto por investigadores de seguridad, ha encendido las alarmas al plantear serias dudas sobre la privacidad en el sistema operativo más extendido del mundo.

El problema reside en cómo Android 16 gestiona las conexiones de red, permitiendo que ciertas aplicaciones ignoren el túnel VPN y transmitan datos directamente a internet. Aunque Google trabaja ya en un parche, la vulnerabilidad recuerda a fallos similares en versiones anteriores, lo que subraya la fragilidad de estas herramientas en un ecosistema donde millones de usuarios hispanohablantes confían en ellas para proteger sus comunicaciones. La incidencia no solo afecta a técnicos, sino a cualquier persona que use una VPN en su móvil, desde trabajadores remotos hasta activistas o usuarios preocupados por su huella digital.

Original Source

CNET

Read full article at CNET →

This post is a curated summary. All rights belong to the original author(s) and CNET.

#cnet #tech #reviews #security #vulnerability #android #bug-allows-apps #ignore #leak #addresses #android-16-vpn-bug #android-16-ip-leak #vpn-bypass-android-16 #pixel-8-vpn-issue #android-16-security-flaw #how-to-check-android-16-vpn-leak #google-patches-android-16-bug #android-vpn-security-risk

Key Topics: Android 16 Pixel 8 Pixel 8 Pro Google Kryptowire Mozilla ProtonVPN NordVPN

Was this article helpful?

Discussion

Frequently Asked Questions

What is the Android 16 VPN bypass bug?

It’s a flaw in Android 16 that lets apps send data outside the VPN tunnel, exposing a user’s real IP address even when a VPN is active. The bug bypasses Android’s built-in VPN protection, making it easy for malicious apps to leak data.

Which phones are affected by the Android 16 VPN bug?

Pixel 8 and Pixel 8 Pro running Android 16 are confirmed affected. The bug may spread to other Pixel models and non-Pixel Android phones as the update rolls out. Older Android versions like Android 15 are not impacted.

How can I tell if my phone is vulnerable to the Android 16 VPN bug?

Visit a site like ipleak.net while connected to a VPN. If your real IP address still shows up, your phone is likely vulnerable. Some VPN apps also display warnings about the issue in their settings.

Has Google fixed the Android 16 VPN bug yet?

Google hasn’t released the fix yet but says it’s coming in the next Android 16 beta update. Until then, users should avoid untrusted apps and public Wi-Fi to reduce risk.

What should I do if my phone is affected by the Android 16 VPN bug?

Wait for Google’s official patch, which should arrive in the next few weeks. In the meantime, avoid downloading apps from unknown sources or using public Wi-Fi. Some VPN providers recommend switching to older Android builds or non-Pixel phones temporarily.

`/`	Focus search
`j`	Next post
`k`	Previous post
`h`	Go home
`?`	Show this help