What apps have exposed Google API keys to Gemini?

CloudSEK named 22 popular ones with 500M+ users combined, but details are redacted for now—check their report or app audits.

How do attackers use these stolen API keys?

They hit Gemini endpoints to read files, make calls, burn quotas, or steal cached data—easy with decompiled APKs.

Is Google fixing the Gemini API key exposure?

They're adding restrictions, but legacy keys persist; devs must rotate and use safer auth like OAuth.

📋 Compliance & Policy

Hidden Gemini Keys in Top Android Apps: 500 Million Users' Data on the Line

You thought those old Google Maps keys were harmless? Think again. They're now golden tickets to Gemini's vault, buried in apps millions download daily.

theAIcatchup Apr 09, 2026 4 min read

Decompiled Android APK revealing exposed Google API key for Gemini AI access

⚡ Key Takeaways

Hardcoded Google API keys in 22 Android apps expose Gemini endpoints to easy extraction, risking 500M users' data. 𝕏
Keys meant for Maps now auto-grant AI access— a silent privilege escalation per Google's project settings. 𝕏
Fix: Rotate keys, proxy via servers; expect Google to mandate stricter auth soon. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#API key leakage #Android API keys #Android security flaw #CloudSEK research #Gemini AI exposure #Gemini security flaw #Google API keys #Google Gemini

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by SecurityWeek

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Shadow AI: Enterprises' Invisible Data Leak Factory

Microsoft's Silent Account Purge Leaves Windows Users Exposed to Unpatched Security Tools

Microsoft's 2026 Warning: Water Utilities Still One Hack Away From Chaos

LiteLLM's Backdoor Bombshell: How Hackers Hijacked AI's Fast Lane

Stay in the loop