CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Silent Expansion of Google API Key Access to Gemini AI Endpoints on Android Applications

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A structural flaw in Google’s API key system has enabled unauthorized access to the Gemini AI platform from embedded keys in Android applications. The issue stems from Google’s API key format, which previously restricted access to services like Maps and Firebase but now automatically grants access to AI endpoints when Gemini is enabled. Developers who embedded these keys in client-side code, following prior guidance, now face exposure of sensitive data, unauthorized API usage leading to financial losses, and potential service disruption. CloudSEK identified 32 active exposed keys across 22 Android applications with over 500 million cumulative installs, demonstrating the widespread nature of the risk.

Timeline

  1. 08.04.2026 19:00 1 articles · 13h ago

    Gemini AI endpoint access enabled by default for embedded Google API keys in Android apps

    Google API keys embedded in Android applications automatically gained access to Gemini AI endpoints upon service activation, creating unintended exposure paths. CloudSEK identified 32 exposed keys across 22 apps with 500M+ installs, including confirmed unauthorized access to private files via the Gemini Files API. Documented incidents show financial losses exceeding $140,000 due to unauthorized API usage, highlighting operational and financial risks.

    Show sources
    Open in new tab

Information Snippets

  • Google’s existing API keys, historically restricted to public-facing services, now automatically gain access to Gemini AI endpoints when the service is enabled in a Google Cloud project, without requiring changes to key permissions or user consent.

    First reported: 08.04.2026 19:00
    1 source, 1 article
    Show sources

  • CloudSEK identified 32 exposed Google API keys embedded in 22 Android applications, collectively installed on over 500 million devices, using its BeVigil platform.

    First reported: 08.04.2026 19:00
    1 source, 1 article
    Show sources

  • Researchers demonstrated unauthorized access to user-uploaded audio files from an English-learning app via the exposed Gemini Files API, retrieving file metadata, timestamps, and accessible links.

    First reported: 08.04.2026 19:00
    1 source, 1 article
    Show sources

  • Exploited keys have led to documented financial losses, including charges of $15,400 within hours and another incident totaling $128,000 in losses despite implemented controls.

    First reported: 08.04.2026 19:00
    1 source, 1 article
    Show sources