SECURITYWEEK reports that Google API keys embedded in Android apps can authenticate to Gemini endpoints, exposing user data to unauthorized access. Dozens of such keys can be extracted from decompiled code to gain access to all Gemini endpoints. According to CloudSEK, 32 Google API keys are hardcoded in 22 popular Android apps, providing unauthorized access to Gemini and a combined userbase of over 500 million.
The keys, using the ‘AIza…’ format, can be abused for retroactive privilege escalation, enabling attackers to access private files, uploaded content, and to make arbitrary Gemini API calls. The exposure is automatic when the AI is enabled on the project, and keys persist across app versions, increasing the attack surface for anyone who can extract them.