Hardcoded Google API Keys in Top Android Apps Now Expose Gemini AI

CloudSEK’s BeVigil found that legacy Google API keys (AIza...) embedded in mobile apps were silently granted access to Google’s Gemini Generative Language API when Gemini was enabled on the associated cloud projects. Scanning the top 10,000 Android apps, researchers identified 32 live keys across 22 apps (combined install base >500M), confirmed user audio file exposure in ELSA Speak, and highlighted multiple real-world abuse cases leading to large unauthorized charges; recommendations include auditing projects, rotating and restricting keys, and avoiding hardcoding keys in apps.