New Android 16 VPN Bypass Confirmed—And There’s No Fix From Google

Google Android 16 bug leaks info from all VPN apps.

SOPA IMAGES/LIGHTROCKET VIA GETTY IMAGES

Updated May 15: This article, originally published May 14, has been updated with a statement from a Google spokesperson regarding the Android 16 vulnerability that allows a malicious app to bypass VPN protections, regardless of which VPN you use or how strict your Android device’s VPN configuration settings are. Details of iOS VPN limitations have also been added to help iPhone users be aware.

A security researcher has published a technical paper detailing how Android 16 has introduced a bug that essentially bypasses VPN protections, affecting all VPN apps. Whether you have enabled the “Always-On VPN” or “Block connections without VPN” settings is immaterial; Android 16 can still leak traffic outside of the VPN protected tunnel. This means that your real IP address is visible on the internet, with all the potential for tracking and surveillance issues that come with it. But here’s the kicker: the researcher reported the bug through the Android Vulnerability Reward Program only for Google to close the issue and mark it as “Won’t Fix” for falling outside of the threat model.

Google Targets Caller ID Spoofing As Scam Losses Reach $980 Million Annually

New Android 16 VPN Bypass Confirmed—And There’s No Fix From Google

Other newsrooms on this story

Related reading

‘Won’t Fix’—All VPN Apps Affected As Google Android 16 Leaks Info

Other newsrooms on this story

Related reading

‘Won’t Fix’—All VPN Apps Affected As Google Android 16 Leaks Info

Update Android Now—Google Confirms Critical Zero-Click Vulnerability

The Top New Android 16 Features

VPNs top App Store charts as Online Safety Act age checks kick in

Best travel VPNs of 2026: Expert tested and reviewed

Google Suddenly Releases New Android 16 Critical Update For Millions Of Users