Android VPN IP Leak Even If Always-On VPN Enabled
A vulnerability in Android 16 allows apps to leak a user's real IP address even when Always-On VPN and 'Block connections without VPN' are enabled. The issue stems from a QUIC-related feature that lets system_server send UDP packets on behalf of apps, bypassing VPN routing rules. This behavior is not considered part of Android's current threat model, leaving users potentially exposed despite relying on VPN protections.
- ▪The vulnerability exploits a Binder method in ConnectivityManager called registerQuicConnectionClosePayload, which accepts arbitrary byte buffers and UDP sockets from apps with INTERNET and ACCESS_NETWORK_STATE permissions.
- ▪When the registered UDP socket is closed, system_server sends the payload directly over the physical network interface, revealing the user's real public IP address outside the VPN tunnel.
- ▪The flaw affects Android 16 QPR1 and later, including devices like the Pixel 8 running Proton VPN with full lockdown settings enabled.
- ▪System services with UIDs below FIRST_APPLICATION_UID are exempt from VPN routing restrictions, allowing them to bypass firewall rules that apply to regular apps.
- ▪An ADB-only mitigation exists to disable the QUIC connection close payload feature, but no user-facing fix has been released as of the report.
Opening excerpt (first ~120 words) tap to expand
The Tiny UDP Cannon: An Android VPN BypassPosted on Apr 30, 2026On Android 16, a regular app with no special permissions can leak the user’s real IP, even with “Always-On VPN” + “Block connections without VPN” turned on. Those two settings are supposed to be the hard guarantee that nothing leaves the device outside the tunnel. They don’t hold here.The trick is that the app doesn’t send the packet itself. It hands the bytes and a destination to system_server (UID 1000, exempt from VPN routing), then exits. A moment later system_server opens a UDP socket on the physical Wi-Fi interface and fires those bytes at the destination. The VPN never sees them. The destination sees your real public IP.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Lowlevel.
Discussion
0 commentsMore from Lowlevel
