Google API Key Vulnerability Exposes Gemini AI Access in Android Apps

Google API Key Vulnerability Exposes Gemini AI Access in Android Apps

First seen 11 Apr 2026, 09:09 UTC Infosecurity-MagazineLinkedin 83% similarity 69.0

Article Content

Browse articles
ThreatCluster

A vulnerability in Google's API key system has allowed unauthorized access to the Gemini AI platform from numerous Android applications. CloudSEK identified that existing API keys, meant for public services, inadvertently gained access to Gemini endpoints without user consent. This flaw affects 32 active keys across 22 widely used Android apps, which collectively have over 500 million installs. Attackers could exploit these keys to access sensitive user data, generate unexpected costs, and disrupt services. In one instance, a developer incurred $15,400 in charges due to a compromised key. The vulnerability stems from a structural flaw in Google's API design, merging public keys with server-side AI secrets. Researchers recommend developers audit their projects and restrict API access. Google has not yet responded to inquiries regarding this issue.

Key Points: • Google API keys for public services can now access Gemini AI without user consent. • 32 active keys across 22 Android apps expose over 500 million installs to potential attacks. • Developers are advised to audit their cloud projects and restrict API access.

ThreatCluster AI

Timeline

2026-04-08
CloudSEK publishes advisory on Google API key vulnerability.
2026-04-10
Truffle Security warns about API key misuse related to Gemini AI.

Community

Browse all →