
Gemini, Google's AI assistant, is supposed to make life easier for Android smartphone owners. But right now it may also be making life easier for anyone anyone who happens to pick up your phone.
As The Register reports, Google is working on a fix for a vulnerability that allows an attacker with physical access to a locked Android 16 device to use Gemini to send SMS messages and WhatsApp texts, without ever needing to enter a PIN.
So, imagine the scene. Someone gets hold of your locked Android phone and, despite not knowing your security PIN, they can send messages via SMS or WhatsApp pretending to come from you.
The Register says that it has received multiple reports since May of how it is possible to bypass authentication on Android 16 devices that have enabled Gemini access from the lock screen.
In May 2026, a security researcher published a write-up describing how they had reproduced the problem on a fully patched Pixel 6a, using Gemini's Deep Research feature as the entry point.
It is clear that Google has patched Gemini lock screen issues before, but security researchers keep finding new ways through.
The latest vulnerability is different from the previous similar Gemini-based Android lock screen bypass bugs that have been plaguing the operating system since September 2025.
This latest exploit requires a specific multi-touch gesture. When Android devices have revoked Gemini's access to apps like Messages, and someone tries to send an SMS via Gemini on the lock screen, the user is prompted to enter a PIN. However, when "Continue" is pressed simultaneously with Gemini's "Add attachment" button, the device allows the SMS to be sent without any authentication.
An attacker can then enable Gemini's access to other previously disconnected apps. All they have to do is invoke the relevant prompt by - for instance - typing "@WhatsApp" in Gemini's text window. Once again, no PIN is requested or required.
What makes this particularly sneaky is that the changes are not temporary. If a victim later unlocks their phone and checks their Gemini settings, they will find that WhatsApp has been connected to Gemini, even though no PIN was ever entered.
Of course, exploiting a vulnerability like this does require physical access to a vulnerable Android device. This is not an attack which can be carried out by a remote hacker. But, as we all know, it is all too common for a device to be left unattended, or snatched from a bag, or handed to someone you think you can trust.
A spokesperson at Google told The Register that this new bug is known about, and that a fix is scheduled to be rolled-out this week. But in the meantime, you would be wise to restrict what Gemini can access from your lock screen.
To do that:
Google will no doubt patch this particular bug. But the underlying problem is still present. Every new capability Gemini is given at the lock screen is also a new potential attack surface. The more useful your AI assistant becomes without you needing to unlock your phone, the harder it becomes to guarantee that only you can use it.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all posts