A security researcher discovered a vulnerability in Android 16's Always-On VPN that allows unprivileged apps to leak the user's real IP address despite the VPN being active. The attack exploits an unvalidated Binder method in ConnectivityManager that lets any app with basic auto-granted permissions send arbitrary packets through system_server, which operates outside VPN routing. The researcher reported it through Android VRP, where Google indicated it falls outside their threat model.
Safety
Android VPN IP Leak Even If Always-On VPN Enabled
Android 16's Always-On VPN leaks user IPs through an unvalidated Binder method in ConnectivityManager that any unprivileged app can exploit — Google deemed it outside their threat model.
Friday, May 1, 2026 12:00 PM UTC2 MIN READSOURCE: LobstersBY sys://pipeline
Tags
safety