Users are worried about the risk of AI account exploitation through mobile app vulnerabilities.
A recent cybersecurity report warns that a number of popular Android apps are inadvertently exposing Google Gemini access keys, opening up the risk of unauthorized exploitation that ordinary users may not even realize.
22 Android apps that may expose Google Gemini API keys.
According to a report by cybersecurity firm CloudSEK, the problem lies in the API keys that applications use to connect to Google's services, which are considered the 'keys' that allow applications to communicate with the company's AI systems.
Previously, these keys were considered a normal technical component, and many developers integrated them into applications without concern, as they were not designed to extend access in the dangerous ways they do today.
However, when Google Gemini was integrated into the Google Cloud ecosystem, the old access keys became significantly more sensitive, no longer just technical identifiers but potentially becoming gateways to access paid AI services .
Notably, this change occurred silently, leaving many developers unprepared to realize that keys previously considered secure could be exploited in entirely different ways.
To use an analogy, a key that was originally only used to open a side door can now unlock a vault containing valuable assets, and if compromised, it could be used to gain unauthorized access to resources not owned by the owner.
The problem is that businesses or developers may only discover the issue when usage costs increase unusually.
The report states that 22 popular Android apps are experiencing this issue, with a total of over 500 million installations, indicating that the impact is not limited to a few apps but could affect hundreds of millions of users worldwide.
Even without directly seeing the API keys, end users are still at risk if the applications they use are not properly protected.
How are users affected?
What makes this incident worrying is that the consequences extend beyond the technical aspects. Once the API key is exposed, malicious actors can use it to send requests to Gemini as if they were authorized users of the service.
Each such instance can incur costs for the account holder or the system owner. If the mining continues uninterrupted, the bill can increase very quickly.
CloudSEK's report details real-world financial losses. One individual reportedly lost over $15,000 overnight due to unauthorized account exploitation. A Japanese business suffered losses of approximately $128,000. These figures demonstrate that this is no longer a theoretical risk, but a potentially very real and significant problem.
For the average user, the question is: What can I do? In reality, most users won't be able to check API keys or the system configuration behind an application on their own. But that doesn't mean you're completely helpless.
The safest approach is to prioritize reputable apps that are regularly updated, and avoid installing apps from unknown sources. For apps that have been used for a long time, updating to the latest version is also crucial, as many security patches are often released silently but are necessary.
From the developer's perspective, this incident serves as a clear reminder that even a small infrastructure change can have significant consequences if not thoroughly reassessed. API keys need to be managed more tightly, access limits more clearly defined, and anomaly monitoring mechanisms in place to detect unauthorized exploitation early. As AI becomes increasingly integrated into everyday applications, security is no longer an add-on, but must be a core component from the outset.
Source: https://tuoitre.vn/canh-bao-lo-hong-google-gemini-trong-ung-dung-android-nguy-co-phat-sinh-chi-phi-lon-20260410142715289.htm
Comment (0)