Bypassing Always-On VPN in Android 16 via system_server

Researcher lowlevel.fun demonstrated a way to bypass Always-On VPN and the Block connections without VPN option in Android 16. A regular app can cause the system process system_server to send a UDP packet directly through the physical network interface, bypassing the VPN tunnel.

The issue stems from registerQuicConnectionClosePayload: the system process sends app-provided data without checking whether the calling app's VPN restrictions should apply. As a result, the remote server receives a packet from the user's real IP address, while the VPN client never observes this traffic.

Exploitation requires no root access — only the standard INTERNET and ACCESS_NETWORK_STATE permissions.

📎 Research: https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/

💬 Discuss