2 min read

Gemini bug bypasses Android lock-screen PIN

A multi-touch bug in Android 16 can let thieves use Gemini to send SMS or WhatsApp messages without a PIN. Google says a fix is rolling out.

Image: The Register

A specific multi-touch gesture can let someone with physical access to an Android 16 phone use Gemini from the lock screen to send SMS or WhatsApp messages without entering the device PIN. Google says a fix has already been implemented and was scheduled for full deployment this week.

Since May, The Register has received multiple reports of users bypassing device authentication on Android 16 phones with Gemini enabled on the lock screen. The issue is distinct from similar Gemini-based Android lock-screen bypass bugs reported since September 2025.

How the Gemini lock-screen bypass works

The flaw appears when a device owner has revoked Gemini’s access to apps such as Messages. If an unauthenticated user asks Gemini to send an SMS from the lock screen, the assistant prompts them to open the relevant app. Choosing “Continue” normally triggers a PIN request.

But pressing “Continue” at the same time as Gemini’s “Add attachment” button can bypass that authentication step, allowing the message to be sent anyway.

The attacker can then use Gemini prompts to reconnect access to other apps that were previously disabled in Settings. Entering “@WhatsApp” in Gemini’s text field, for example, can enable WhatsApp access without a PIN. After entering the correct PIN later, the device Settings can show that WhatsApp is connected to Gemini even though the expected authentication step was never completed.

Recommended reading

Weather Data Sabotage Threatens AI Forecasts

The exploit requires physical access to the phone. While that limits its use in many scenarios, The Register said the risk is more significant amid phone theft—particularly in the UK—and could enable convincing SMS messages used in scams, including fake kidnapping schemes.

A Google spokesperson confirmed that the issue is known and said the company had already implemented a fix. Google also said the bug is not Pixel-specific, despite reports that it could not be reproduced on Samsung devices, but did not identify the affected manufacturers, models, or Android versions.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via The Register

/ Keep reading