Security researchers have discovered a major vulnerability in Android apps where hardcoded Google API keys can be easily extracted and exploited to access Gemini AI endpoints. CloudSEK found 32 such keys in 22 popular apps with over 500 million combined users, allowing attackers to access private files, cached content, and charge AI usage to developers' accounts. The problem stems from Google's own documentation recommending embedding these keys, which were previously considered harmless but now automatically grant access to Gemini services when AI is enabled on a project.