Technology News
English Edition
  • Home
  • Apps
  • Apps News
  • Major Google Bug Triggers Gemini AI Leak in Google Pay for Business, Oyo Hotels and Other Apps: Report

Major Google Bug Triggers Gemini AI Leak in Google Pay for Business, Oyo Hotels and Other Apps: Report

A CloudSEK report has found hardcoded Google API keys in Android apps that expose Gemini credentials.

Written by Akash Dutta, Edited by Ketan Pratap | Updated: 9 April 2026 17:01 IST
Major Google Bug Triggers Gemini AI Leak in Google Pay for Business, Oyo Hotels and Other Apps: Report

Photo Credit: Unsplash/Daniel Romero

CloudSEK has found 32 keys in 22 Android apps with more than 10 million installations

Click Here to Add Gadgets360 As A Trusted Source As A Preferred Source On Google
Highlights
  • These API keys were previously used as public identifiers
  • Gemini integration in Android apps adds authentication to the keys
  • Bad actors can steal user data and trigger unauthorised usage
Advertisement

Google's implementation of an application programming interface (API) key architecture has reportedly led to a massive Gemini exposure risk in Android apps. As per the cybersecurity research firm CloudSEK, a particular client-side API key, which previously functioned as an identifier, receives credential privileges after an Android app integrates the Gemini API. This, in the hands of a bad actor, can expose the data users share with the chatbot. Additionally, this can also result in bad actors making unauthorised Gemini API calls, racking up huge bills for the developer.

How a Google API Key Triggers Gemini Exposure

In a blog post, CloudSEK explained how an API key (AIza...), which was deemed safe by Google to add to the codebase of Android apps, suddenly gains credential privileges after Gemini is integrated into the app. This security flaw builds on the findings of Truffle Security, which found a similar flaw on a Google Cloud project.

CloudSEK's BeVigil, a mobile app security search engine, scanned the top 10,000 Android apps (based on number of installs) and found 32 live Google API keys hardcoded in 22 different apps with more than 500 million installs collectively. Some of these apps are Oyo Hotel, Google Pay for Business, Taobao, apna Job Search App, Elsa Speak, HD Sticker & Pack WAStickersApps, The Hindu, ISS Live Now, and more.

Interestingly, the report claims that the API key format Alza… is added to the app when a developer wants to embed Maps or Firebase, as per the documentation instructions shared by Google. However, after enabling the Generative Language API, the key gains access to all Gemini endpoints without any warning or notification. So, anyone who decompiles the app can easily gain access to the key, and it acts like a live Gemini credential.

For end users, this means any data shared with Gemini, such as documents, images, or audio, and stored in the Files API, can be accessed by the bad actor. Additionally, all sensitive information in the cached AI context can be read, copied, or exfiltrated by the one gaining unauthorised access.

Developers and publishers also face significant risks. Gemini API integration is not free. Developers pay for any usage. So, if the bad actor ends up making unauthorised usage, it can rack up massive bills. Additionally, this also puts a regulatory burden on the companies if the users' data is compromised.

CloudSEK recommends developers and companies review all API keys in a GCP project, rotate any key that is embedded in a mobile app, restrict keys by service, and not hardcode any API key in the mobile app source code. While end users cannot do much, they should be careful about using Gemini services in an Android app. If they do not trust the app, they should limit their Gemini interaction to the official app and platforms.

Comments

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Google, Gemini, Google API, Android apps, Oyo, Google Pay, Cybersecurity, AI, Artificial Intelligence, Enterprise
Akash Dutta
Akash Dutta
Akash Dutta is a Chief Sub Editor at Gadgets 360. He is particularly interested in the social impact of technological developments and loves reading about emerging fields such as AI, metaverse, and fediverse. In his free time, he can be seen supporting his favourite football club - Chelsea, watching movies and anime, and sharing passionate opinions on food. More
Blockchain Sleuth Claims DPRK Unit Made $1 Million a Month Posing as Crypto IT Workers

Related Stories

Major Google Bug Triggers Gemini AI Leak in Google Pay for Business, Oyo Hotels and Other Apps: Report
Comment
Facebook Gadgets360 Twitter Share Tweet Snapchat LinkedIn Reddit Comment google-newsGoogle News
Turbo Read

Advertisement

Featured
Follow Us
Latest Videos
More Videos
Tech News in Hindi
More Technology News in Hindi

Advertisement

Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. OTT Releases This Week: O'Romeo, Tu Yaa Main, Main Wo Aur Fuji, Thaai Kizhavi, and More
  2. A-+ Nova Flip 5G Launched in India With 50-Megapixel Main Camera: See Price
  3. Ai+ Nova 2 Ultra Launched in India Alongside Ai+ Nova 2: See Prices
  4. Here's How Much the Upcoming Vivo T5 Pro 5G Could Cost in India
  5. Ai+ PulseTab in India With This Price Tag
  6. OnePlus Nord 6 With 9,000mAh Battery Is Now Available to Purchase in India
  7. Oppo Find X9s Pro Design Renders, Colourways Leaked Ahead of April 21 Launch
  8. WhatsApp's Long-Awaited Username Feature Is Finally Rolling Out
#Latest Stories
  1. Major Google Bug Triggers Gemini AI Leak in Google Pay for Business, Oyo Hotels and Other Apps: Report
  2. Motorola Edge 70 Pro Leak Reveals Design, Colourways as HDR10+ Database Listing Hints at India Debut
  3. Blockchain Sleuth Claims DPRK Unit Made $1 Million a Month Posing as Crypto IT Workers
  4. Oppo Find X9s Pro Design and Colour Options Seen in Leaked Renders Ahead of April 21 Launch
  5. OnePlus Nord 6 With 9,000mAh Battery, 50-Megapixel Camera Goes on Sale in India: Price, Offers
  6. Split Fiction Sales Cross 7 Million Copies as Hazelight Studios Marks 50 Million Copies Sold
  7. Ai+ PulseTab Launched in India With 10.95-Inch Display, 8,000mAh Battery: Price, Specifications
  8. Meta Superintelligence Labs’ First AI Model Muse Spark Brings Reasoning, New Features to Chatbot
  9. The Testaments OTT Release: Where to Watch, Cast, Plot, and More
  10. Sony Xperia 1 VIII Leak Reveals New Colourways; Design Including Revamped Rear Camera Layout Spotted Again
Gadgets 360 is available in
Follow Us
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.
Trending Products »
Latest Tech News »