Back

Google API Key Vulnerability Exposes Gemini AI Access in Android Apps

Severity: High (Score: 69.0)

Sources: Linkedin, Infosecurity-Magazine

Summary

A vulnerability in Google's API key system has allowed unauthorized access to the Gemini AI platform from numerous Android applications. CloudSEK identified that existing API keys, meant for public services, inadvertently gained access to Gemini endpoints without user consent. This flaw affects 32 active keys across 22 widely used Android apps, which collectively have over 500 million installs. Attackers could exploit these keys to access sensitive user data, generate unexpected costs, and disrupt services. In one instance, a developer incurred $15,400 in charges due to a compromised key. The vulnerability stems from a structural flaw in Google's API design, merging public keys with server-side AI secrets. Researchers recommend developers audit their projects and restrict API access. Google has not yet responded to inquiries regarding this issue. Key Points: • Google API keys for public services can now access Gemini AI without user consent. • 32 active keys across 22 Android apps expose over 500 million installs to potential attacks. • Developers are advised to audit their cloud projects and restrict API access.

Key Entities

  • Botnet (attack_type)
  • Data Breach (attack_type)
  • DDoS (attack_type)
  • Malware (attack_type)
  • Ransomware (attack_type)
  • Bitcoin Depot (company)
  • CloudSEK (company)
  • Google (company)
  • Los Angeles City Attorney’s Office (company)
  • Winona County (company)
  • Aisuru (malware)
  • Kaiji (malware)
  • Chaos (ransomware_group)
  • Adobe Reader (platform)
  • Android (platform)
  • EngageSDK (platform)
  • Firebase (platform)
  • Gemini AI Platform (platform)
  • Docker (tool)
  • Gemini API (tool)
  • Google Cloud (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed