How the VPN Bypass Works
A newly discovered vulnerability in Android 16 undermines the VPN protections meant to keep user traffic private. Security researchers found that a malicious app with only basic permissions, like INTERNET and ACCESS_NETWORK_STATE, can force network data to bypass the VPN tunnel entirely. The flaw, which researchers have named the Tiny UDP Cannon, exploits a weakness in the ConnectivityManager system service. A normal app can register a payload with the system_server process, which has elevated privileges and is not subject to VPN routing rules. When the app exits or its network socket closes, the system_server dispatches the attacker controlled data over the device’s physical network interface, such as Wi-Fi, completely ignoring VPN settings.
Impact and Scope
The vulnerability remains effective even when a user enables Always On VPN and Block connections without VPN, two features designed to enforce complete traffic protection. An attacker exploiting this flaw can reveal a user’s real public IP address, exfiltrate data outside the encrypted VPN tunnel, and track users despite privacy protections. The issue was verified on a Pixel 8 running Android 16 with Proton VPN and lockdown mode active. The research team reported the flaw to Google’s Android Vulnerability Reward Program, but the company classified it as Won’t Fix, stating it does not meet the criteria for a security bulletin. Security experts argue this decision overlooks the significant privacy risks, particularly for users who rely on VPNs to protect their identity and location.
Source: Cyber Security News
