A newly disclosed flaw in Android 16 allows malicious apps to silently bypass VPN protections and expose a user’s real public IP address — even when the strictest VPN security settings are enabled. Dubbed the “Tiny UDP Cannon” by researchers, the vulnerability undermines Android’s core VPN trust model and has been marked as “Won’t Fix” by Google’s Android Security Team, leaving millions of users exposed.
What Is the “Tiny UDP Cannon” Flaw?
The vulnerability exists in Android’s ConnectivityManager service. Normally, a VPN app routes all device traffic through an encrypted tunnel, and features like “Always-On VPN” and “Block connections without VPN” are designed to ensure no traffic leaks outside that tunnel.
However, researchers discovered that a malicious app can register a network payload with Android’s system_server — the privileged system process that manages core Android services — using the method registerQuicConnectionClosePayload. When the malicious app’s socket is subsequently destroyed or the app exits, system_server transmits the attacker-controlled payload directly over the device’s physical network interface, such as Wi-Fi or cellular. Because system_server itself is not subject to VPN routing rules, this traffic bypasses the VPN tunnel entirely.
Why the VPN Lockdown Mode Does Not Help
The attack works even when users have enabled both “Always-On VPN” and “Block connections without VPN” — Android’s most restrictive VPN protection settings. These settings are specifically designed to prevent any traffic from reaching the internet outside the VPN. The bypass succeeds because the traffic originates from system_server rather than the malicious app directly, and system processes are exempt from VPN routing policies.
The registerQuicConnectionClosePayload method lacks three critical controls:
- Permission checks: Any app holding only the standard
INTERNETandACCESS_NETWORK_STATEpermissions — both auto-granted on install — can call this method. - Payload validation: The method places no restrictions on the content of the registered payload.
- VPN policy awareness: The method does not check whether VPN lockdown mode is active before allowing payload registration.
What Can an Attacker Do?
Successful exploitation of this flaw enables an attacker to:
- Reveal the user’s real IP address: By receiving the out-of-tunnel UDP packet, a remote attacker-controlled server can log the device’s real public IP, deanonymizing users who rely on VPNs for privacy.
- Exfiltrate small payloads outside the VPN: Sensitive data embedded in the QUIC close payload is sent unencrypted over the physical network interface.
- Track users despite VPN protection: Advertisers, stalkers, or state-level actors could exploit this to correlate real IP addresses with user behavior even when VPNs are in use.
The vulnerability was confirmed on a Google Pixel 8 running Android 16 with Proton VPN active in lockdown mode, demonstrating real-world exploitability on current hardware.
Indicators of Compromise
Security teams and privacy-conscious users can look for the following signs of exploitation:
- Unexpected UDP packets sent from the device’s real Wi-Fi or cellular IP address outside the VPN tunnel.
- Traffic to unfamiliar external servers on unusual ports (e.g., port 3131) originating from
system_server(UID 1000). - Payload patterns containing tagged or structured data inconsistent with normal QUIC connection close messages.
Google’s Response: “Won’t Fix”
The vulnerability was responsibly reported to Google’s Android Vulnerability Reward Program in April 2026. However, the Android Security Team classified it as “Won’t Fix (Infeasible),” stating the behavior does not meet the criteria for a security bulletin entry.
Researchers strongly disagree with this assessment. The flaw directly undermines a security guarantee — VPN lockdown — that Android explicitly advertises to users as protection against IP leakage. The practical impact on privacy-sensitive users, including journalists, activists, and enterprise workers in high-risk environments, could be significant.
Temporary Mitigation
A partial workaround exists via an Android Debug Bridge (ADB) command that disables the vulnerable QUIC connection close feature:
adb shell device_config put tethering close_quic_connection -1
After rebooting, the system stops sending the registered QUIC payloads, effectively blocking the leak. However, this is not a permanent fix — it may not survive OS updates — and requires ADB access, placing it out of reach for most ordinary users.
Broader Privacy Implications
VPN usage continues to grow globally, driven by increasing awareness of surveillance and tracking. Vulnerabilities like this reveal that even well-designed privacy features can be undermined by implementation flaws in adjacent system components. As mobile operating systems become more complex, the number of system-level exemptions from security policies grows — creating an expanding blind spot for VPN and privacy protections.
Recommendations
- Users relying on Android VPNs for anonymity should be aware that Android 16 VPN lockdown does not currently guarantee complete traffic isolation.
- Apply the ADB mitigation on sensitive devices where possible.
- Security and privacy teams should monitor network traffic for anomalous out-of-tunnel packets originating from system processes.
- Advocate for Google to reconsider the “Won’t Fix” classification, as the impact on privacy is material and the fix appears technically feasible.
- Consider supplementing Android VPN protections with network-level controls, such as router-level firewalls that enforce traffic routing policies independently of the device.
Until a patch is officially released, Android 16 users who depend on VPNs for genuine anonymity should understand that their real IP address may be discoverable by malicious apps installed on their devices.