Somewhere between the marketing polish and the shipping code, Android 16 developed a quiet habit of severing VPN connections without telling anyone. No notification. No warning icon. Just an open, unprotected pipe to the internet while the VPN indicator on your phone cheerfully reports that everything is fine.
The bug, first reported by users and tracked in Google’s issue tracker, affects devices running Android 16 — including Google’s own Pixel phones. It disconnects active VPN tunnels intermittently, routing traffic through the device’s default network connection instead. The kill switch, a feature specifically designed to prevent exactly this kind of data exposure, doesn’t trigger. The VPN icon in the status bar remains visible. For all practical purposes, the phone lies to its user about the state of their connection security.
That’s not a minor inconvenience. It’s a breach of trust in one of the most fundamental privacy tools available on mobile devices.
As MakeUseOf reported, the issue has been documented in Google’s public bug tracker since at least early 2025, with multiple users confirming the behavior across different VPN providers. The problem isn’t isolated to a single app or protocol. Users of Mullvad VPN, WireGuard, and other well-known services have all reported identical symptoms: the VPN connection silently drops, traffic leaks onto the unprotected network, and the device gives no indication that anything has changed.
Google has acknowledged the bug. But acknowledgment and resolution are very different things.
The company assigned the issue a priority rating but has not yet shipped a fix to stable Android 16 builds. For a company that positions Android as an enterprise-ready platform with strong privacy controls, the delay is conspicuous. VPN connectivity isn’t a niche concern. It’s the backbone of corporate mobile security, remote work infrastructure, and personal privacy for millions of users who depend on encrypted tunnels to protect sensitive data from hostile networks.
The technical details paint a troubling picture. Android’s VPN framework relies on a system-level service that manages the tunnel interface and routes all traffic through it when “Always-on VPN” and “Block connections without VPN” are enabled. These two settings together form what most users understand as a kill switch — if the VPN drops, no traffic should flow at all. In Android 16, something in this chain breaks intermittently. The tunnel interface goes down, but the system doesn’t recognize the failure state. Traffic falls back to the default network path. The status bar icon, which reflects the VPN service’s running state rather than the actual tunnel status, continues to display as connected.
This distinction between service state and tunnel state is the crux of the problem. A VPN app can be “running” as an Android service while its actual encrypted tunnel has collapsed. The operating system checks one thing. Users assume it’s checking the other.
Mullvad VPN, a provider known for its aggressive stance on privacy, has been particularly vocal. The company’s own testing confirmed that Android 16 introduces regressions in VPN handling that did not exist in previous versions. In posts on their official channels and in responses to user reports, Mullvad engineers noted that the issue appears to be an OS-level problem outside the control of individual VPN applications. They can’t fix what the operating system breaks underneath them.
And this isn’t the first time Android’s VPN implementation has leaked. In 2022, Mullvad publicly disclosed that Android was sending some traffic — including DNS lookups and connectivity checks — outside the VPN tunnel even when the kill switch was enabled. Google’s response at the time was to characterize the behavior as “by design,” arguing that certain system-level checks needed to bypass the VPN to function properly. That explanation satisfied almost no one in the security community, but Google stood by it.
Now, with Android 16, the situation has worsened. It’s no longer just connectivity checks leaking. It’s all traffic, silently, with no user-visible indication.
The implications for enterprise deployments are severe. Companies that manage fleets of Android devices through mobile device management platforms rely on always-on VPN configurations to enforce security policies. If those VPN connections drop without triggering the kill switch, corporate data traverses public networks unencrypted. Credentials, internal application traffic, email content — all of it potentially exposed. IT administrators have no way to detect the failure from the device side because the device itself doesn’t know it’s failed.
For journalists, activists, and users in countries with aggressive surveillance regimes, the stakes are even higher. A VPN that silently disconnects isn’t just a technical failure. It’s a potential safety hazard. These users choose VPNs not for convenience but for protection, and the entire value proposition depends on the guarantee that traffic never leaves the encrypted tunnel without explicit user awareness.
Google’s pace of response has drawn sharp criticism from security researchers and Android developers. Bug reports in the issue tracker show weeks passing between user reports and official responses. Some commenters have noted that similar issues reported during the Android 16 beta cycle were flagged but apparently not resolved before the stable release. That suggests either the bug was deprioritized during the release process or the fix proved more complex than anticipated. Neither explanation is reassuring.
So where does this leave Android users who depend on VPNs right now? In a difficult position. Some VPN providers have implemented their own workarounds — periodic tunnel health checks, automatic reconnection logic, and user-facing alerts when the tunnel state doesn’t match expectations. But these are band-aids applied at the application layer for a problem rooted in the operating system. They help. They don’t solve the underlying issue.
Users running Android 16 on Pixel devices or other phones that received the update can check their actual connection status by visiting IP-checking websites while connected to their VPN. If the reported IP address doesn’t match the VPN server’s address, the tunnel has dropped. It’s a manual, tedious process. But until Google ships a fix, it’s one of the few reliable ways to verify that your VPN is actually doing what it claims.
The broader question this episode raises is about the reliability of operating system-level security promises. Google has invested heavily in marketing Android’s privacy features — from the Privacy Dashboard to granular permission controls to the VPN kill switch itself. These features work only if the underlying implementation is correct. When it isn’t, the features become worse than useless. They become actively misleading, giving users false confidence while their data flows unprotected.
Android 16 shipped with significant fanfare. Live notifications, predictive back gestures, new camera APIs. The VPN bug didn’t make the keynote. But for the subset of users who treat their VPN connection as a non-negotiable security requirement, it may be the most consequential change in the entire release.
Google has not provided a public timeline for the fix. The company’s standard practice is to bundle security-relevant patches into monthly or quarterly updates, which means a resolution could still be weeks away. In the meantime, the bug sits in the tracker, accumulating stars and comments from frustrated users, while the VPN icon on their phones continues to glow with false assurance.
A small green icon. Telling you everything is fine. When it isn’t.
WebProNews is an iEntry Publication