This serious Android VPN bug can leak your internet traffic – here's what you need to know

News
By published

Mullvad VPN highlighted the issue, but all VPNs are affected

Smartphone displaying blue VPN shield logo with a padlock. There is a green and pink blurred technological background
(Image credit: NurPhoto / Getty Images)

A newly discovered Android 16 bug could allow apps to leak traffic outside VPN tunnels, potentially exposing users' real IP addresses even when Always-On VPN and Android's built-in kill switch are enabled.

The flaw affects all the best VPNs, and was highlighted by Mullvad VPN, one of the most private VPNs available.

What's behind the Android 16 VPN leak?

The leak stems from a flaw in how Android 16 handles QUIC connection shutdowns.

According to Mullvad, apps can abuse a system function tied to the Connectivity Manager service to send specific traffic outside the VPN tunnel. This means a malicious app could reveal a user's real IP address to external servers, even if the device is configured to block all non-VPN traffic.

Mullvad says the issue affects all VPN apps on Android 16 because the vulnerability exists within the operating system itself. The Sweden-based VPN also noted that GrapheneOS, a privacy-focused Android-based operating system, has already patched the flaw in its own codebase.

Why this isn't just a Mullvad problem

Collection of VPN apps on iPhone screen

(Image credit: Kenneth Cheung / Getty Images)

VPN leaks are not entirely new, but this case stands out because it bypasses Android's strongest VPN protections, including "Always-On VPN" and "Block connections without VPN."

The issue was reportedly shared with Google's Android Security Team, but Mullvad says the report was closed as "Won't Fix (Infeasible)." The company later submitted a separate issue through Google's Android issue tracker, although Mullvad says the report is currently inaccessible.

Features like kill switches and Always-On VPN settings are often seen as critical protections, especially for users connecting through hotel, airport, or café Wi-Fi networks, or operating in higher-risk environments.

Because of this, reports of those protections being bypassed entirely are likely to concern privacy-focused VPN users.

How to reduce the risk on Android

Mullvad says a mitigation is available, although it requires enabling USB debugging and running Android Debug Bridge (adb) commands manually.

To apply the workaround:

  • Enable Developer Options and USB debugging on your Android device
  • Connect the device to a computer with adb installed
  • Run: adb shell device_config put tethering close_quic_connection -1
  • Reboot the device

According to Mullvad, this disables the QUIC graceful shutdown feature linked to the leak.

However, future Android updates may undo the fix, meaning users could need to repeat the process after updating their device.

Beyond the workaround itself, it's still worth being cautious about installing apps or visiting websites you do not fully trust.

Disclaimer

We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

Zoran Danilovic
VPN and cybersecurity expert

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.