If you use a VPN on your Android phone to protect your internet traffic, here’s something you need to know: a new security flaw can leak your real IP address even when your VPN is turned on and locked down. Google knows about it, but says it won’t fix it.
This matters if you’re using a VPN in Ghana for online banking, checking sensitive work emails, or browsing when on public WiFi. Your real location and identity could be exposed to apps you’ve installed.
What’s the Android VPN leak?
Android 16 has a new feature that handles how connections shut down. It’s called QUIC connection teardown. Last week, security researcher Yusuf found that apps can trick this feature into sending data directly to the internet without routing it through your VPN tunnel, bypassing all your VPN protections.
The leak happens even if you’ve turned on Android’s “Always-On VPN” and “Block connections without VPN” settings, which are supposed to lock everything down.
Yusuf tested it on a Pixel 8 running Android 16 with Proton VPN enabled. An app successfully leaked the phone’s real public IP address to a remote server, proving the vulnerability works.
Why Google won’t fix it
Here’s the frustrating part: Yusuf reported the flaw to Google’s Android security team in April 2026. Google classified it as “Won’t Fix” and said it doesn’t meet the bar for a security advisory. When Yusuf appealed, Google stuck with its decision.
That’s why the researcher published the details publicly on April 29, forcing the issue into the open.
Who’s already fixed it?
GrapheneOS, a privacy-focused version of Android used on Pixel phones, released a patch within a week. The fix disables the vulnerable feature. If you’re running GrapheneOS, you’re protected.
If you’re on stock Android (the regular version Google ships), you’re still exposed unless Google patches it in a future update.
What you should do now
If you have a Pixel phone: Update to GrapheneOS if privacy is important to you. It’s free and available at grapheneos.org.
If you’re on stock Android: There’s a temporary workaround using Android’s developer settings (via ADB), but it’s technical and may not stay permanent. For most people, the best move is to wait for Google’s fix or switch to a more security-focused ROM like GrapheneOS.
General advice: Don’t rely on a VPN alone if you’re using Android 16 right now. Use strong passwords, enable two-factor authentication on accounts that matter (your bank, email, MoMo), and avoid sensitive transactions on public WiFi until this is patched.
This is a reminder that even big companies like Google sometimes deprioritize security issues. Staying informed and updating your phone when patches drop is still your best defense.
Leave a Reply