Jul 18, 2026
Policy

Google says fix is imminent for Gemini Android lock screen messaging bug

The flaw can let someone with a locked Android phone use Gemini to send SMS or WhatsApp messages without entering the device PIN.

Dominic Okoye

By Dominic Okoye · Staff Writer

· 3 min read

Google says fix is imminent for Gemini Android lock screen messaging bug
Photo: The Register

Google has implemented a fix for an Android lock screen flaw that can let Gemini send messages from a locked device without the owner’s PIN, according to a company spokesperson cited by The Register. The issue affects Android devices with Gemini enabled on the lock screen, and Google said a full rollout was scheduled for this week, though it did not disclose the affected manufacturers, models or Android versions.

The Register reported that it has received multiple reports since May of authentication bypasses on Android 16 devices where Gemini is available from the lock screen. The publication said the latest issue is separate from other Gemini-related Android lock screen bypass bugs that have circulated since September 2025.

The reported flaw requires the attacker to have the phone in hand. That constraint limits the exposure compared with remote account takeover bugs, but phones are high-value targets precisely because they are portable and often already authenticated into messaging, payments and work apps. The Register pointed to phone theft in the UK and the possibility of fraudulent SMS messages, including fake kidnapping scams, as reasons the bug is more than a lab curiosity.

How the bypass works, according to The Register

The Register described one bug that lets an unauthenticated user with physical access use a specific multi-touch interaction to get Gemini on the lock screen to enable functions including phone, text messaging and WhatsApp.

The sequence begins when a device owner has previously removed Gemini’s access to an app such as Messages. If someone then tries to send an SMS through Gemini from the lock screen, Gemini asks the user to open the relevant app. Pressing “Continue” normally triggers the expected PIN prompt before Messages can be accessed.

According to The Register, the bypass occurs when “Continue” is pressed at the same time as Gemini’s “Add attachment” button. The device then permits the SMS to be sent through Gemini without requiring the PIN.

The publication also reported that, after the bypass, a user can connect Gemini to other apps that had previously been disconnected in settings. For WhatsApp, The Register said entering “@WhatsApp” in the Gemini text box can trigger the connection flow without the expected authentication step. After later unlocking the device normally, the settings page shows WhatsApp as connected to Gemini, according to the report.

Google says the bug is not limited to Pixel

A Google spokesperson told The Register that the company already knew about the bug and had implemented a fix for deployment this week. The spokesperson also said the issue is not specific to Pixel devices.

Google did not tell The Register which device makers, models or software builds are vulnerable. That omission matters for enterprise security teams and Android fleet administrators because Android update timing varies by manufacturer and carrier. It also leaves users without a clear way to know whether their handset is affected before the fix reaches them.

The safest interim control suggested by the facts reported is to limit Gemini’s lock screen availability where possible until the fix is installed. Google’s statement indicates a remedy is coming, but the company has not publicly narrowed the exposure by device family or version.

This story draws on original reporting from The Register.

More from Policy

All Policy →