Google Fixing Critical Android Lock Screen Bug Allowing Gemini to Send SMS Without PIN
Key Takeaways
- ▸A specific multi-touch gesture on the Android lock screen bypasses PIN authentication when Gemini tries to access messaging apps
- ▸Attackers with physical device access can send SMS and WhatsApp messages impersonating the device owner without knowing the PIN
- ▸Once the initial bypass succeeds, further app permissions can be granted to Gemini without re-authentication
Summary
Google has acknowledged a critical security vulnerability in Android 16 where a specific multi-touch gesture on the lock screen allows Gemini to bypass PIN authentication and send SMS and WhatsApp messages without user authorization. The exploit works by simultaneously pressing Gemini's "Continue" button and "Add attachment" button when prompted to verify access to messaging apps, tricking the system into granting permissions without requiring the device PIN. Once this initial bypass succeeds, attackers with physical access can then enable Gemini's access to other previously restricted applications like WhatsApp using text commands. Google confirmed the bug is not Pixel-specific and affects multiple Android manufacturers, with a fix scheduled for full deployment this week.
- This is a distinct vulnerability from previous Gemini lock screen bugs reported since September 2025
- Google is deploying a fix this week and confirmed the vulnerability affects multiple manufacturers, not just Pixel devices



