Android’s operating system has identified a critical vulnerability that allows DNS traffic to leak during VPN server switches, potentially exposing users’ internet activity to cybercriminals.
The issue, which affects multiple versions of Android, including the latest Android 14, was first reported by a user on Reddit and subsequently confirmed by Mullvad VPN through an internal investigation.
The vulnerability was uncovered when a user noticed DNS queries leaking while toggling a VPN connection on and off, despite having the “Block connections without VPN” setting enabled.
Mullvad VPN’s subsequent investigation revealed that this was not an isolated incident but part of a broader issue within the Android OS.
Android Bug Leaks DNS Traffic
The DNS leaks occur under specific conditions:
- When a VPN is active, no DNS server is configured.
- During brief periods when a VPN app is reconfiguring the tunnel or if it crashes.
The leaks are primarily associated with direct calls to the C function getaddrinfo. Applications that resolve domain names using this method, such as the Chrome browser, are particularly susceptible to leaking DNS queries in the scenarios described.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
The leakage of DNS queries poses significant privacy risks, as DNS traffic can reveal the websites a user visits and the apps they use.
This vulnerability is especially concerning because it can be exploited regardless of security measures like “Always-on VPN” and “Block connections without VPN,” designed to enhance user privacy.
In response to these findings, Mullvad VPN has announced plans to implement a temporary workaround by setting a bogus DNS server in its app’s blocking state to prevent DNS leaks until the issue is resolved upstream in the Android OS.
They also urge other developers and service providers to review their applications and implement similar safeguards if necessary.
This incident highlights the need for continuous vigilance and prompt action in the digital security landscape. Android users are advised to:
- Ensure their VPN applications are up-to-date and configured correctly.
- Monitor for any updates from their VPN service providers regarding this issue.
- Stay informed about potential security vulnerabilities and how to mitigate them.
Google has yet to respond to the findings, but updates to the Android OS are anticipated as the community calls for a resolution to prevent future privacy breaches.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide