That VPN you are running on your Android 16 device may not be doing as much as you think. A newly discovered bug in Android 16 allows any app on your device to send traffic outside your VPN tunnel, exposing your real IP address to the internet, regardless of which VPN you use or how locked down your settings are.
The vulnerability was first reported by a Zurich-based security engineer going by the handle @cybaqkebm, and was later flagged by VPN provider Mullvad, which confirmed the bug affects all VPN apps on Android 16, not just its own.
Your options are limited, and none of them are particularly user-friendly. A technical workaround exists involving a debug command, but the researcher who found the bug warned people to only attempt it if they fully understand the implications. It may also get wiped by future Android updates.
GrapheneOS, a security-focused Android variant, has already patched the issue, but switching operating systems is not realistic for most users. There is no evidence of active exploitation yet, but with Google declining to act, the safest advice for now is to be very careful about what you install.
