top of page
Search

Exposed Google API Keys Turn Into Gemini AI Access Tokens, Expanding Mobile App Attack Surface

  • Apr 13
  • 4 min read

A new wave of research is reshaping how security teams think about Google API keys. Long treated as low-risk identifiers for public services, these keys are now being linked to direct access into Gemini AI environments, creating a pathway for data exposure, service abuse, and unexpected financial impact.


Security researchers from CloudSek are warning that thousands of Android applications may be unintentionally exposing access to Google’s AI infrastructure through hardcoded API keys embedded in their codebases. What was once considered acceptable practice is now emerging as a significant risk in the age of generative AI.


From Harmless Identifiers to AI Credentials


For years, developers have embedded Google API keys into applications to enable services like maps, analytics, and other public-facing features. Google has historically maintained that these keys are not secrets. That assumption is now under pressure.


Recent findings from Truffle Security revealed that many of these same keys can authenticate against Gemini AI endpoints. In practical terms, this means a key originally intended for a benign service could now unlock access to AI-powered resources, including stored files and processing capabilities.


“We scanned millions of websites and found nearly 3,000 Google API keys that now also authenticate to Gemini even though they were never intended for it. With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account,” Truffle said in February.


Follow-up research from mobile security firm Quokka expanded the scope dramatically, identifying tens of thousands of exposed keys across hundreds of thousands of Android apps. Because Android packages can be easily reverse engineered, extracting these keys requires little effort and can be automated at scale.


“Because Android applications can be easily unpacked and inspected, extracting these keys requires minimal technical skill, and automated scraping at scale is entirely feasible. What used to be low-risk visibility has quietly turned into a meaningful attack surface,” Quokka said.


CloudSEK: Real-World Exposure Across Popular Apps


Adding urgency to the issue, CloudSEK uncovered active exposure in widely used applications. The firm identified dozens of API keys embedded in popular Android apps that can be used to access Gemini AI services without authorization.


These apps collectively reach hundreds of millions of users, raising concerns about indirect data exposure. While the keys primarily grant access to developer-controlled environments, any user data processed through those systems could be at risk if accessed through compromised credentials.


The core issue lies in how permissions evolve. When developers enable Gemini AI features in a project, previously issued API keys can automatically inherit access to new endpoints. This effectively upgrades old keys into powerful credentials without requiring any action or awareness from developers.


Attackers who obtain these keys can perform a range of actions, including querying AI models, accessing stored files, draining usage quotas, and generating costs tied to the victim organization’s account.


The Rise of “Denial-of-Wallet” Attacks


The financial implications of this shift are becoming just as important as the data risks. AI services operate on usage-based billing, meaning unauthorized access can quickly translate into real monetary losses.


Craig Riddell, Global Field CISO at Wallarm, said the industry is underestimating how quickly API misuse can escalate.


“Incidents like this show how quickly the risk model is changing with AI. What looks like a simple exposed API key can now turn into real-time financial impact, because APIs are no longer just access points; they are direct pathways to compute and cost.


In this case, nothing technically “broke.” A valid API key was used exactly as designed. The gap is that security validated access, but never validated intent or scale. That’s where denial-of-wallet becomes real, where legitimate access drives uncontrolled consumption at machine speed.


The response of blocking traffic at the IP level reflects how most defenses are still operating at the wrong layer. IP-based controls are easy to bypass in modern environments where requests can be distributed or proxied at scale.


What’s needed now is session-level understanding. Not just who has access, but how that access is being used in real time. Without that, organizations will continue to detect abuse only after the damage is already done.”


A Shift in API Security Strategy


This development highlights a broader transformation in cloud and AI security. API keys are no longer just identifiers. They are increasingly tied to powerful backend systems that process sensitive data and incur real costs.


The problem is compounded by developer guidance that historically encouraged embedding these keys directly into applications. Once published, those keys persist across app versions and can be harvested indefinitely.


Security teams now face a new reality where legacy design decisions collide with modern AI capabilities. Controls that once focused on authentication must evolve toward monitoring behavior, limiting scope, and enforcing least privilege across AI services.


What Enterprises Should Do Next


The findings point to several immediate actions for organizations building or deploying AI-enabled applications:

  • Audit all existing API keys and identify unintended access to AI services

  • Restrict keys by service, environment, and usage limits wherever possible

  • Move sensitive credentials out of client-side code and into secure backends

  • Implement real-time monitoring to detect abnormal API usage patterns

  • Rotate exposed keys and enforce tighter access controls across projects


As AI platforms continue to integrate deeper into developer ecosystems, the boundary between public and sensitive credentials is rapidly disappearing. What was once considered safe to expose is now a direct line into compute, data, and cost.


For security leaders, the takeaway is clear. In the era of AI-driven infrastructure, every key is a potential entry point, and every request carries both data and financial risk.

bottom of page