Full Report
A specific multi-touch gesture bypasses an authentication prompt, allowing anyone to send messages
Analysis Summary
# Vulnerability: Android Lock Screen Bypass via Gemini Multi-Touch Gesture
## CVE Details
- **CVE ID**: Pending/Not specified in report (Associated with bypasses reported in July 2026)
- **CVSS Score**: Estimated 4.6 (Medium) - Based on CVSS 4.0: `AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N`
- **CWE**: CWE-287 (Improper Authentication) / CWE-290 (Authentication Bypass by Spoofing)
## Affected Systems
- **Products**: Android OS (utilizing Google Gemini as the default assistant)
- **Versions**: Android 14 and Android 15 (Implicitly identified via "Android 15 devices" and references to late 2025/2026 bug cycles)
- **Configurations**: Devices with "Gemini on Lock Screen" enabled and specific Google Workspace or Messaging extensions active.
## Vulnerability Description
A race condition or UI logic flaw exists in how the Google Gemini interface handles simultaneous touch inputs on the lock screen. When Gemini prompts for a PIN to "Continue" an action (such as sending an SMS or accessing messages), pressing the **"Continue"** button simultaneously with the **"Add Attachment"** button bypasses the authentication challenge.
Successful exploitation grants an unauthenticated user the ability to send messages, make calls, and re-enable Gemini’s access to previously revoked app extensions (e.g., WhatsApp, Google Messages) without ever providing the device PIN or biometric data.
## Exploitation
- **Status**: PoC Available (Documented by security researchers; video demonstrations exist)
- **Complexity**: Low (Requires a specific multi-touch gesture)
- **Attack Vector**: Physical (Requires direct access to the device)
## Impact
- **Confidentiality**: Low (Access to partial message history may be limited, but interaction with the chatbot is possible)
- **Integrity**: High (Attacker can send messages, make calls, and modify settings for Gemini app extensions as the authenticated user)
- **Availability**: Low (No direct system denial of service, though unauthorized setting changes occur)
## Remediation
### Patches
- **Google Fix**: A server-side or app-system update was scheduled for full deployment by the third week of July 2026.
- **Action**: Users should update the "Google" app and "Gemini" app via the Play Store and ensure the latest Android Security Patch Level is applied.
### Workarounds
- **Disable Gemini on Lock Screen**: Go to **Settings > Google > Gemini > Gemini on Lock Screen** and toggle the feature **OFF**.
- **Revoke Permissions**: Manually disconnect sensitive extensions (WhatsApp, Messages, Phone) within Gemini settings until a patch is confirmed.
## Detection
- **Indicators of Compromise**:
- Unauthorized messages in "Sent" folders (SMS, WhatsApp).
- Gemini Extensions (like WhatsApp) being toggled "ON" in settings despite being previously disabled.
- **Detection Methods**: Review account activity logs and outgoing message history for anomalies.
## References
- **Vendor Advisories**: Google (Statement provided to The Register)
- **Relevant links**:
- hxxps[://]infosecwriteups[.]com/android-lock-screen-bypass-via-google-gemini-the-patch-that-wasnt-5509c5c21630
- hxxps[://]payatu[.]com/blog/android-lock-screen-bypass-through-google-gemini/
- hxxps[://]www[.]youtube[.]com/watch?v=XyjTPd78sXE