Introduction
Earlier this year, I discovered a critical security flaw in the Android Lock Screen that shocked even me when I first reproduced it. The vulnerability allowed lock screen bypass and unauthorised access to Google accounts, Gemini data, and even connected apps, all without requiring a PIN, password, or biometric input.
In this post, I will walk through:
- How I discovered the bug
- Steps to reproduce (in simplified terms)
- Real-world abuse scenarios
- My coordinated disclosure with Google
- Key lessons for the security community
The Discovery
The bug emerged from a subtle race condition occurring between Bixby (Samsung’s assistant) and the on-screen keyboard navigation toggle. On non-Samsung devices, the same flaw could be triggered directly via Google Gemini assistant activation.
This revealed a serious oversight: Android 14’s lock screen protections could be bypassed through mere UI manipulation no malware, no rooting, no advanced exploitation.
Vulnerability Summary
Title: Lock Screen Bypass via Gemini & Keyboard/Bixby Race Condition
Impacted Platforms: Android 13, 14, 15 (reproduced on Samsung Galaxy S23 FE, Pixel 7 Pro, and likely other devices)
Severity: High / Critical
Exploitation Steps (simplified)
- Invoke the assistant on the lock screen
- Samsung: Long-press Power → Bixby.
- Pixel/Other: Long-press Power → Gemini.
- Trigger Race Condition (Samsung-only)
- Rapidly alternate between the spacebar and the keyboard icon.
- Gemini UI pops up before lock validation.
(Pixel and other Android devices: no race needed, direct Gemini popup already works)
- Gemini Interaction on Lock Screen
- Type a message, then stop its response → Gemini context unlocked.
- Now UI elements (flag/report, profile icon, etc.) are clickable despite the lockscreen.
- Privilege Escalation
- Long press the flag button + tap profile icon → Switch/access all Google accounts on device.
- Tap “+” plus chat icon simultaneously → Full Gemini chat history exposed.
- Access Gemini settings → Enable options like “Make calls & send messages without unlocking”.
- Extended Exploits
- Send WhatsApp/SMS/calls directly.
- Interact with Gmail (compose drafts).
- Export Gemini-generated reports to Drive/Docs, draining available storage.
- Trigger Gemini Live → access camera & mic session from locked device.
- Interact with Smart Home appliances via Gemini.
At this point, the phone is essentially “open” without ever touching the PIN/password.
Proof Of Concept (POC) :
Security Impact
The vulnerability impacted all three classic pillars of security (CIA):
- Confidentiality:Â Private emails, Gemini history, contacts, and WhatsApp messages were exposed.
- Integrity: Attackers could send messages, create Google Docs, or even interact with smart appliances.
- Availability: By abusing Gemini’s content generation and export features, cloud storage quotas (such as Google Drive’s 15GB) can be quickly exhausted.
Coordinated Disclosure
I reported the issue to Google’s Vulnerability Reward Program (VRP) in March 2025. The coordination journey was constructive and collaborative, involving multiple follow-ups with Google’s Trust & Safety, Product Security, and Abuse teams.
The teams acknowledged the issue, filed it for remediation, and provided me with a generous reward as part of the program. More importantly, they ensured the flaw was addressed responsibly within the ecosystem.
Responsible Disclosure Timeline
- Mar 20, 2025: Initial report filed.
- Mar–Apr 2025: Triaged, confirmed, fully accepted.
- Apr–Jun 2025: Additional abuse scenarios documented and validated.
- Jul–Aug 2025: Acknowledgement, remediation process, and preparation for disclosure.
- Sept 10, 2025: Public disclosure with PoC demonstration.
Conclusion
This vulnerability demonstrates how even simple input-handling flaws can erode core trust boundaries in mobile devices. A locked Android 14 phone was anything but secure, with Gemini effectively handing attackers a backdoor to sensitive data. Through constructive collaboration with Google’s VRP team, the vulnerability was acknowledged, and I received a fair monetary reward for the finding. Most importantly, fixes are being prioritised to prevent real-world exploitation.
