Lock Screen Security Bypasses
Security researchers have identified multiple vulnerabilities in Google’s Gemini AI assistant that allow unauthorized access to user data from a locked Android device. These flaws, which Google has since addressed through security patches, highlight the risks of integrating generative AI agents directly into mobile operating systems, potentially bypassing standard lock-screen authentication protocols.
In 2024 and 2025, independent researchers discovered methods to interact with Gemini while a smartphone remained locked. Typically, Gemini on a locked screen is restricted to basic queries and cannot access sensitive personal data, such as emails or account settings. On a Pixel 6A, one researcher demonstrated that selecting the “Deep Research” feature could trigger an interface intended for unlocked devices. By timing a long press on the “+” button, the researcher bypassed the system’s identity verification check, allowing them to switch Google accounts and view conversation history without entering a PIN or biometric credential.

Manipulating Agent Execution
Beyond lock-screen access, researchers found ways to manipulate Gemini’s application context to perform actions without user consent. One investigator identified a vulnerability where Gemini could be instructed to draft Gmail messages and delete content from NotebookLM notebooks without requiring manual authentication.
The flaw also extended to “Gems”—customized AI agents within the Gemini ecosystem. The researcher successfully triggered these agents to perform tasks despite the lack of owner validation. Google confirmed these vulnerabilities had been mitigated by the time the findings were publicized.
Scope of Affected Hardware
The identified issues affected a range of devices and software versions. Google confirmed that a similar bypass was reproducible on a Galaxy S23 FE and a Pixel 7 Pro, running Android versions ranging from 13 to 15.
Researchers followed the standard responsible disclosure process, notifying Google of these gaps. In response, Google issued software updates to close the loopholes. The company’s policy of issuing bug bounties, as noted in the instance where a researcher was awarded a prime for detecting an early variant of the issue, serves as a primary mechanism for identifying these flaws before they can be exploited in the wild.

The Future of AI Permission Models
The integration of generative AI complicates this boundary because the assistant requires access to user data to be functional. As these researchers demonstrated, when the AI agent’s interface is mistakenly exposed before the system verifies the user’s identity, the protective layers of the operating system can be circumvented.
Worth a look