In this video we dive in the Android bug discovered and reported by cybaqkebm from lowlevel-fun that looks like an intention VPN backdoor. I also show how to deploy a local, temporary fix to your device if, like me, you want to keep safely using VPN on your Android.
By the way, I only got to know about this bug thanks to Mullvad VPN’s post on X earlier today, which is a strong reason to keep sharing and educating others on what’s going on.
So, Mullvad posted about the issue on May 12, but the original report has been live since April 30 on lowlevel-fun as “The Tiny UDP Cannon: An Android VPN Bypass.”
Interestingly, the reported issue [510393733] on issuetracker.google now has an “Access is denied to this issue” message, meaning Android Security Team has deliberately hidden it from the public. This happened after the team closed the issue as “Won’t Fix (infeasible)”. GrapheneOS has already released a patch that fixes it, though.
Anyone can reproduce the exploit using cybaqkebm’s open-source PoC at 0x33c0unt/quic-vpn-bypass on GitHub.
How to Fix Android’s VPN Bypass
To fix it you will need to debug your Android via terminal and you should only do it if you understand the implications of changing device config files. Follow the steps below (on Linux only, as I don’t know how to access it via WIndows or MacOS):
Install android-tools or other Android debugging tools. On Arch Linux I ran:
sudo pacman -S android-toolsGo to your device → Settings → About Phone → Software Information
Look for the “Build Number” field and click seven times on it to enable “Developer Options”
If using Samsung, go to Security and Privacy and disable “Auto Blocker”
Back to Developer Options, enable USB Debugging
Connect the device via USB cable to your Linux and authorize access (trusted device)
On your Linux terminal, check if the device is connected using Android Debug Bridge’s command:
adb devicesStill on terminal, execute the code that will disable Android’s close_quic_connection feature with the
-1flag and reboot the device:
adb shell device_config put tethering close_quic_connection -1
adb rebootTo check if the new config was applied, look for a
falseboolean to “Close QUIC Connection”:
adb shell dumpsys connectivity | grep "Close QUIC"
## Close QUIC connection: falseYou can revert the config and test the other way around by force-enabling the function with the
1flag.
adb shell device_config put tethering close_quic_connection 1
adb rebootThank you for reading and watching the video!
Follow me on X at vinibarbosabr and subscribe for free to thecoding.substack [en] or codigoaberto.substack [pt-br].
