204/69 Friday, April 10, 2026
Researchers from CloudSEK have uncovered hardcoded Google API keys embedded in 22 popular Android applications, totaling 32 keys and impacting over 500 million users. These keys could potentially be abused to access Gemini AI services without authorization. The findings align with research from Quokka, which identified over 35,000 similar keys across approximately 250,000 Android apps, as well as Truffle Security, which reported nearly 3,000 exposed keys on public websites capable of authenticating with Gemini.
The primary concern involves API keys in the format “AIza…”, which were traditionally considered low-risk identifiers for services like Google Maps or Firebase. However, when Gemini or the Generative Language API is enabled within the same project, these existing keys may automatically gain access to Gemini endpoints-often without the developer’s awareness. Once extracted from reverse-engineered apps, attackers can use these keys to invoke Gemini APIs, access uploaded or cached data, and consume API quotas, potentially leading to unexpected costs for project owners.
This issue highlights how easily Android applications can be reverse-engineered at scale to extract embedded keys. While the immediate impact may be on developers’ Gemini resources, experts warn that if apps process or upload real user data, there is also a risk of indirect data exposure. The findings underscore that API keys once considered harmless identifiers are now effectively sensitive credentials requiring strict protection.