Google says it fixed a Gemini flaw that let someone with physical access to a locked Android phone send messages and reconnect apps without the expected PIN check, but it has not identified the affected devices, delivery channel, or software version that would let users verify the repair.
Google says it has fixed a Gemini bug that let someone holding a locked Android phone send messages and reverse an owner's decision to disconnect apps. The company has not provided the affected device range, delivery channel or software version needed to verify that the repair reached a particular phone.
The latest reported path begins with a phone configured to permit Gemini on the lock screen. If the owner has disconnected Gemini from an app such as Messages, asking the assistant to send an SMS brings up a prompt to open that app. Selecting “Continue” should then require the device PIN.
Pressing “Continue” and Gemini's “Add attachment” control at the same time instead sent the SMS without that PIN, according to the account that obtained Google's response. Entering “@WhatsApp” could similarly reconnect WhatsApp to Gemini without the expected authentication; after the phone was legitimately unlocked, its settings showed the app as connected.
The report does not show a full device unlock. An attacker would need the phone in hand, Gemini available before authentication and the relevant interaction path. It also provides no evidence of exploitation in the wild and no estimate of how many devices were exposed.
A Google spokesperson told the publication that this was a known bug, that Google had implemented a fix and that full deployment was scheduled for the week of the report. The spokesperson said the bug was not limited to Pixel phones, but did not identify other manufacturers, models, Android releases, Gemini or Google app versions, or the mechanism delivering the fix.
That gap prevents a user or device administrator from matching a phone to a documented corrected release. Google's July Android Security Bulletin, published July 6 and updated July 17, says there are no security vulnerabilities in that bulletin. Its July 5 security patch level therefore does not identify the later-described Gemini repair.
The newest SMS path sits beside several lock-screen reports involving simultaneous or sustained touches. That recurrence warrants scrutiny, but the evidence does not support treating every path as one vulnerability or one failed patch. The reports cover different devices, Android generations, Gemini surfaces and disclosure stages, and most of the technical diagnosis comes from the researchers themselves.
Sandiyo Christan wrote that he reproduced a bypass in April on a fully updated Pixel 6a running Android 16 with the March 2026 security patch. His sequence opened Deep Research from the lock-screen Gemini overlay and then used a sustained press on another control to interfere with the re-authentication dialog.
Christan said the sequence took less than 60 seconds and exposed account switching, Gemini settings and conversation history while allowing lock-screen calling and messaging permissions to be enabled. In his May 27 account, he attributed the behavior to lock-screen state not carrying into child activities and to a raceable interface dialog rather than a system-enforced gate. Those are findings from his test and his root-cause assessment, not a Google-confirmed device range or architecture analysis.
Christan described the route as a bypass of a different vulnerability he had previously reported and Google had rewarded. His post labeled the April-tested path “not fixed” as of publication; it does not establish its status after Google's later rollout.
Mustafa Salih Berk described another concurrent-touch path through full-screen Gemini modes including Lyria and Deep Research. He said it provided access to Gemini settings and chat histories, NotebookLM notebooks and Gmail drafts, among other functions.
His repair history cuts against a blanket claim that every related flaw remains unresolved. Berk wrote that Google initially treated his report as a duplicate of an older Android core issue and paid no bounty. After he found that a subsequent Gemini update had left his exploit working, mode buttons were removed from the locked interface as an immediate mitigation. He said a broader patch followed roughly a month later and passed his regression test. His July 1 disclosure states that his specific vulnerability was fully patched.
Surya Rawal's earlier disclosure covered Android 13, 14 and 15 and said the issue was reproduced on a Samsung Galaxy S23 FE and a Pixel 7 Pro. The Samsung sequence involved a race between Bixby and a keyboard-navigation control; Rawal said non-Samsung devices could reach Gemini more directly. The reported effects included access to Google accounts and Gemini data as well as connected-app actions.
Rawal said he submitted the issue to Google's Vulnerability Reward Program on March 20, 2025, that Google accepted it and paid a reward, and that the vulnerability was publicly disclosed on September 10. The September 30 technical post says remediation was pursued, but does not provide a patch version or a cross-device regression matrix.
Together, the accounts show that pre-authentication assistant interfaces have repeatedly exposed race-like interaction paths into more privileged features. They do not show that the same code defect caused each path, that every Android phone was affected, or that the latest Google fix covers all earlier variants.
The physical-access requirement substantially narrows the threat. Nothing in the retained evidence describes a remote trigger, and a locked phone without the relevant Gemini access would not meet the reported prerequisites.
Physical possession is still a realistic condition for mobile security. The Metropolitan Police reported 14,000 fewer theft-from-person and robbery offenses involving a stolen phone across London from June 2025 through May 2026, an 18% decline from the preceding 12 months. Those police figures cover recorded offenses in one city; they do not measure vulnerable Android devices, Gemini use, or exploitation of this bug.
That distinction matters. The available record supports a plausible opportunity for an attacker who acquires a configured phone, not a claim of widespread compromise. No source identifies an exploited victim, an affected-device count or a measured success rate for the gesture.
Google's statement answers whether the company recognizes the latest behavior as a bug and says it has acted. It does not answer which phones needed the fix or how an owner can confirm receipt.
The decisive evidence would be an affected-products list; the corrected Gemini or Google app version; the rollout channel and completion date; and regression results for the latest SMS and app-reconnection sequence across the affected device families. A public advisory or vulnerability identifier would give device makers and enterprise administrators a stable reference.
Independent retesting would then need to separate the latest two-control gesture from the Deep Research, Lyria and device-specific routes described in earlier disclosures. Until that evidence exists, the defensible conclusion is limited: Google says the newest reported bypass is fixed, one earlier researcher says his separate route is also fixed, and the public record still does not let users verify the latest repair on their own devices.
Get concise AI news and useful context from the Magica team.
Read the newsletterChristian Faith Madison’s estate alleges GPT-4o sustained a months-long narrative of prophecy, sacrifice and resurrection before her death. Public safety disclosures and controlled research make that failure mode plausible, but neither establishes which model behavior she encountered or whether it caused her death.
Shanghai AI Laboratory has released Intern-S2-Preview-397B as downloadable weights and a hosted API, but its own 35B alternative offers the same context window and a far smaller disclosed scale while the larger model still lacks auditable comparative scores, pricing and physical-validation results.
Mixfont's free Decoy Font gives each glyph a sharp decoy and a blurred intended letter, creating a hurdle for pixel-based readers while leaving selectable text, known-image techniques and accessibility costs outside its protection.
Zhipu reportedly reached $1 billion in annual recurring revenue in July, roughly four times a March estimate, but the unconfirmed run rate is not annual sales and still sits far ahead of recognized cloud revenue while margins remain thin.
Cmpunlocker says patched Nvidia open kernel modules can expose 64GB of HBM on an 8GB CMP 170HX or 40GB on a 10GB card while removing an SM throttle. The exploit mechanism is documented, but the retained evidence does not independently validate the tool across full-memory workloads, error rates, power use or A100-class performance.
An unidentified industry source says at least one Nvidia board partner has physical RTX 50 Super cards but cannot sell them, with 3GB GDDR7 quoted at $60 to $70 per chip. The reported memory bill explains a plausible pricing problem, but neither Nvidia nor a second independent source has confirmed the products, the hold or the component terms.
Anthropic’s 20-year lease gives TeraWulf a customer for 401 megawatts of future AI infrastructure, but rent starts only after delivery and the proposed utility deal passes power and grid costs to TeraWulf, leaving financing and project margin unresolved.
OpenAI has put conversations and Projects back in its redesigned ChatGPT desktop app and enabled cloud Work threads to move across devices, correcting the launch's biggest usability failures without merging local Work or Codex histories.
Twenty-nine countries signed an agreement creating WAICO as an independent intergovernmental organization, while China paired the launch with capacity-building offers that are not yet confirmed as WAICO programs.
Meta reportedly plans to put departing AWS compute executive Dave Brown to work on its data-center buildout, adding hyperscale operating experience while leaving any customer-facing cloud business conditional and undefined.
Moonshot AI has made Kimi K3 available through its apps and API, pairing a 2.8-trillion-parameter architecture with early frontier-level results, but the model's open-weight claim cannot be tested until its weights and technical report arrive.
CIA Director John Ratcliffe said US intelligence is consistent with an estimate that Russian recruits last 20 to 30 minutes on Ukraine’s battlefield, but the public trail leads to an unsourced claim about assault troops and does not establish a representative average.
China has paired a five-year AI training offer for developing countries with cooperation centers, a weather-warning rollout and a new 29-country organization. The package gives Beijing a platform for influence, but no budget, selection rules or delivery timetable has been published.
The FastFlowLM team has joined AMD after building a Ryzen AI NPU inference flow on technology AMD already developed and distributed. The move could reduce model-support delays, but its financial significance, transaction perimeter and performance benefit remain undisclosed.
Federal intervention changed the launches of Anthropic's Claude Fable 5, Claude Mythos 5 and OpenAI's GPT-5.6, but through different legal and voluntary channels. The result is real government leverage over early customers without a common security threshold or durable review process.
A proposal developed with Treasury Secretary Scott Bessent would put an independent AI regulator under SEC oversight, but President Trump had not reviewed it and its tests, funding and enforcement authority remained unresolved.
San Francisco has demanded that Apple and Google cut off 13 apps capable of producing nonconsensual sexual deepfakes. The threatened case could test California’s new liability rules, but the confidential app list and the law’s “primary purpose” definition leave a central question unresolved.
Anthropic will keep Claude Fable 5 inside Max and Team Premium plans from July 20 at 50% of their usage limits, while Pro and Team Standard customers move to separately billed credits. The durable change is who gets bundled access, not a larger allowance for top-tier users.
HKT plans a 3.2 Tbps data-centre route from Lok Ma Chau to Tseung Kwan O by the end of 2026, but has not disclosed customer bandwidth, price, project cost or end-to-end latency, while Sandy Ridge's developer expects to start within 42 months of its land award.
Apple briefly topped Nvidia during Friday trading before Nvidia closed about $6 billion ahead. The filings show why that ranking is a weak AI verdict: Apple’s operating momentum predates its new Siri, while Nvidia’s rapid growth comes with concentrated customers and large forward commitments.