diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index ea5af0897..da126ed0f 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -6299,6 +6299,9 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 
 	// See the netns package for documentation on what these capability do.
 	netns.SetBindToInterfaceByRoute(b.logf, nm.HasCap(tailcfg.CapabilityBindToInterfaceByRoute))
+	if runtime.GOOS == "android" {
+		netns.SetDisableAndroidBindToActiveNetwork(b.logf, nm.HasCap(tailcfg.NodeAttrDisableAndroidBindToActiveNetwork))
+	}
 	netns.SetDisableBindConnToInterface(b.logf, nm.HasCap(tailcfg.CapabilityDebugDisableBindConnToInterface))
 	netns.SetDisableBindConnToInterfaceAppleExt(b.logf, nm.HasCap(tailcfg.CapabilityDebugDisableBindConnToInterfaceAppleExt))
 
diff --git a/net/netns/netns.go b/net/netns/netns.go
index 5d692c787..fe7ff4dcb 100644
--- a/net/netns/netns.go
+++ b/net/netns/netns.go
@@ -46,6 +46,18 @@ func SetBindToInterfaceByRoute(logf logger.Logf, v bool) {
 	}
 }
 
+// When true, disableAndroidBindToActiveNetwork skips binding sockets to the currently
+// active network on Android.
+var disableAndroidBindToActiveNetwork atomic.Bool
+
+// SetDisableAndroidBindToActiveNetwork disables the default behavior of binding
+// sockets to the currently active network on Android.
+func SetDisableAndroidBindToActiveNetwork(logf logger.Logf, v bool) {
+	if runtime.GOOS == "android" && disableAndroidBindToActiveNetwork.Swap(v) != v {
+		logf("netns: disableAndroidBindToActiveNetwork changed to %v", v)
+	}
+}
+
 var disableBindConnToInterface atomic.Bool
 
 // SetDisableBindConnToInterface disables the (normal) behavior of binding
diff --git a/net/netns/netns_android.go b/net/netns/netns_android.go
index e747f61f4..7c5fe3214 100644
--- a/net/netns/netns_android.go
+++ b/net/netns/netns_android.go
@@ -17,6 +17,9 @@ import (
 var (
 	androidProtectFuncMu sync.Mutex
 	androidProtectFunc   func(fd int) error
+
+	androidBindToNetworkFuncMu sync.Mutex
+	androidBindToNetworkFunc   func(fd int) error
 )
 
 // UseSocketMark reports whether SO_MARK is in use. Android does not use SO_MARK.
@@ -50,6 +53,14 @@ func SetAndroidProtectFunc(f func(fd int) error) {
 	androidProtectFunc = f
 }
 
+// SetAndroidBindToNetworkFunc registers a func provided by Android that binds
+// the socket FD to the currently selected underlying network.
+func SetAndroidBindToNetworkFunc(f func(fd int) error) {
+	androidBindToNetworkFuncMu.Lock()
+	defer androidBindToNetworkFuncMu.Unlock()
+	androidBindToNetworkFunc = f
+}
+
 func control(logger.Logf, *netmon.Monitor) func(network, address string, c syscall.RawConn) error {
 	return controlC
 }
@@ -60,14 +71,36 @@ func control(logger.Logf, *netmon.Monitor) func(network, address string, c sysca
 // and net.ListenConfig.Control.
 func controlC(network, address string, c syscall.RawConn) error {
 	var sockErr error
+
 	err := c.Control(func(fd uintptr) {
+		fdInt := int(fd)
+
+		// Protect from VPN loops
 		androidProtectFuncMu.Lock()
-		f := androidProtectFunc
+		pf := androidProtectFunc
 		androidProtectFuncMu.Unlock()
-		if f != nil {
-			sockErr = f(int(fd))
+		if pf != nil {
+			if err := pf(fdInt); err != nil {
+				sockErr = err
+				return
+			}
+		}
+
+		if disableAndroidBindToActiveNetwork.Load() {
+			return
+		}
+
+		androidBindToNetworkFuncMu.Lock()
+		bf := androidBindToNetworkFunc
+		androidBindToNetworkFuncMu.Unlock()
+		if bf != nil {
+			if err := bf(fdInt); err != nil {
+				sockErr = err
+				return
+			}
 		}
 	})
+
 	if err != nil {
 		return fmt.Errorf("RawConn.Control on %T: %w", c, err)
 	}
diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go
index 1efa6c959..04389faba 100644
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -180,7 +180,8 @@ type CapabilityVersion int
 //   - 131: 2025-11-25: client respects [NodeAttrDefaultAutoUpdate]
 //   - 132: 2026-02-13: client respects [NodeAttrDisableHostsFileUpdates]
 //   - 133: 2026-02-17: client understands [NodeAttrForceRegisterMagicDNSIPv4Only]; MagicDNS IPv6 registered w/ OS by default
-const CurrentCapabilityVersion CapabilityVersion = 133
+//   - 134: 2026-03-09: Client understands [NodeAttrDisableAndroidBindToActiveNetwork]
+const CurrentCapabilityVersion CapabilityVersion = 134
 
 // ID is an integer ID for a user, node, or login allocated by the
 // control plane.
@@ -2463,6 +2464,12 @@ const (
 	// details on the behaviour of this capability.
 	CapabilityBindToInterfaceByRoute NodeCapability = "https://tailscale.com/cap/bind-to-interface-by-route"
 
+	// NodeAttrDisableAndroidBindToActiveNetwork disables binding sockets to the
+	// currently active network on Android, which is enabled by default.
+	// This allows the control plane to turn off the behavior if it causes
+	// problems.
+	NodeAttrDisableAndroidBindToActiveNetwork NodeCapability = "disable-android-bind-to-active-network"
+
 	// CapabilityDebugDisableAlternateDefaultRouteInterface changes how Darwin
 	// nodes get the default interface. There is an optional hook (used by the
 	// macOS and iOS clients) to override the default interface, this capability