A critical Android bug has been discovered, putting millions of users’ privacy at risk. Despite having a VPN kill switch enabled, Android devices are leaking DNS queries, exposing users’ online activities and approximate locations. This bug is a significant concern, and users are advised to take immediate action to protect themselves.
The issue was first spotted by a Mullvad VPN user on April 22. It occurs when apps make direct calls to the getaddrinfo C function, which provides protocol-independent translation from a text hostname to an IP address. This bug leaks DNS traffic when a VPN is active but no DNS server has been configured or when a VPN app re-configures the tunnel, crashes, or is forced to stop.
The “Always-on VPN” feature is designed to start the VPN service when the device boots and keep it running while the device or profile is on. Enabling the “Block Connections Without VPN” option (also known as a kill switch) ensures that all network traffic and connections pass through the always-connected VPN tunnel, blocking prying eyes from monitoring the users’ web activity. However, this bug defeats the purpose of these security features, leaving users vulnerable to privacy breaches.
DNS traffic leaks present a significant risk to user privacy. They can expose users’ approximate locations and the online platforms they engage with. This is a serious concern, especially for users who rely on VPNs for sensitive activities such as online banking, shopping, or communicating with sensitive information. Moreover, this bug can also expose users’ browsing history, search queries, and other online activities, which can be used for malicious purposes such as targeted advertising or even identity theft.
Mullvad has suggested some temporary mitigations, including setting a bogus DNS server while the VPN app is active. However, these workarounds should not be necessary, and the issue should be addressed in the OS to protect all Android users. It is crucial for Google to take immediate action to resolve this bug and backport the patch to older Android versions.
This is not the first time Android devices have been found to be leaking DNS queries. In October 2022, Mullvad discovered that Android devices were leaking DNS queries every time they connected to a WiFi network, despite having “Always-on VPN” enabled. This repeated occurrence of DNS leaks raises concerns about the security and privacy of Android devices.
Given the seriousness of this issue, users are advised to take immediate action to protect themselves. This includes stopping the use of Android devices for sensitive activities until the bug is resolved and implementing additional safeguards to mitigate the risk of DNS leaks. Users should also consider using alternative devices or operating systems that prioritize privacy and security.
This is a significant privacy concern that requires immediate attention from Google and Android users. Users’ privacy should be a top priority, and such critical issues should be addressed promptly to ensure the security and privacy of Android devices.