Android 16 Vulnerability Allows Apps to Bypass VPNs, Exposing User IP Addresses
A vulnerability in Android 16 has been identified that allows applications to bypass VPN settings and expose users' IP addresses. This issue was reported by a security engineer from Zurich through Google's Vulnerability Reward Program. Despite the potential privacy risks, Google's security team has deemed the bug 'infeasible' to fix and not a high priority. The vulnerability affects devices with malicious apps, bypassing VPN protections and leaving traffic unencrypted. Although Google Play Protect offers some defense against known threats, new vulnerabilities may not be immediately recognized. The bug persists even with 'Always-on VPN' settings, posing a risk to users with critical privacy needs. While there is no evidence of exploitation, the issue remains unresolved for Android 16 users. Mullvad, a VPN provider, suggests switching to GrapheneOS, which has patched the issue. 
