Skip to main content

Any app on recent Android versions can leak certain traffic

App 

A recently discovered bug in Android 16 allows any app to leak traffic outside the VPN tunnel.

As reported in the post The Tiny UDP Cannon: An Android VPN Bypass, Android 16 introduced a bug that allows a malicious app to send traffic outside the VPN tunnel, including with “Always-On VPN” + “Block connections without VPN” turned on. This affects all VPN apps, not just Mullvad VPN. This blog post aims to spread knowledge about this issue to help keep our users safe.

Having traffic leak outside the tunnel means your real IP address becomes visible on the Internet, which could potentially be used for tracking or surveillance purposes.

The bug was reported to the Android Security Team, but was closed as Won’t Fix (Infeasible), as described in the linked article. After consulting with the report author (https://x.com/cybaqkebm), we reported the issue on the Android issue tracker. However, at the time of writing the issue is marked as inaccessible by Google for unknown reasons.

In contrast, GrapheneOS, a security-focused Android-based OS, quickly patched the issue in its codebase.

Technical details

The leak involves calling the registerQuicConnectionClosePayload method on the ConnectivityManager system service. The purpose of this method is to enable graceful teardowns of QUIC connections by sending a final payload to the server, letting it know that the device has closed the connection. However, this function does not properly check that the payload is sent into the VPN tunnel, resulting in an attacker being able to craft a payload that is sent outside the VPN, thus leaking the device's real IP address.

The leak involves calling the registerQuicConnectionClosePayload method on the ConnectivityManager system service. The purpose of this method is to enable graceful teardowns of QUIC connections by sending a final payload to the server, letting it know that the device has closed the connection. However, this function does not properly check that the payload is sent into the VPN tunnel, resulting in an attacker being able to craft a payload that is sent outside the VPN, thus leaking the device's real IP address.

Mitigation

A mitigation is possible, but is quite technical in that it requires USB debugging to be enabled on the device in order to run the following Android Debug Bridge (adb) commands:

adb shell device_config put tethering close_quic_connection -1
adb reboot

This disables the QUIC graceful shutdown feature, and thus closes the leak. The mitigation will persist across reboots, but it may be undone by system updates, in which case the steps will need to be repeated.

Performing this mitigation means that the server-side QUIC socket will remain half-open until it times out, which should generally not negatively affect the Android device or apps running on it. However, only use the command at your own risk if you understand the implications.

Conclusion

This is not the first and certainly not the last leak of its kind in Android. You can protect against it by applying the mitigation above or by running a security-oriented Android variant such as GrapheneOS. Ultimately, though, it also comes down to not running apps you do not trust on your devices.