Android 16 Bug Allows Apps to Ignore VPNs and Leak IP Addresses
Key takeaways
- Reports surfaced this week that Android 16 may have a vulnerability that allows apps to ignore VPNs and send IP information, regardless of settings.
- "This issue only affects devices that have downloaded a malicious app," a representative for Google told CNET in an email.
- The Google representative said Google Play Protect automatically protects users from known malicious apps, although by definition, newly emerging threats may not yet be recognized by automated detection systems.
Reports surfaced this week that Android 16 may have a vulnerability that allows apps to ignore VPNs and send IP information, regardless of settings. A security engineer based in Zurich posted about the bug on the website lowlevel.fun, writing that the engineer reported it through Google's Vulnerability Reward Program, which pays rewards to security researchers who find bugs in Android apps. The findings were reposted by VPN provider Mullvad on the company's blog.
But the engineer shared logs showing that Android's security team closed the report, saying it was "infeasible" to fix and wasn't considered a high enough priority for the security team. The engineer did not immediately respond to a request for comment.
"This issue only affects devices that have downloaded a malicious app," a representative for Google told CNET in an email.