惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
Security Archives - TechRepublic
Security Archives - TechRepublic
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
CERT Recently Published Vulnerability Notes
S
Security @ Cisco Blogs
S
Security Affairs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
L
Lohrmann on Cybersecurity
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Hacker News: Ask HN
Hacker News: Ask HN
Forbes - Security
Forbes - Security
H
Heimdal Security Blog
A
Arctic Wolf
NISL@THU
NISL@THU
P
Proofpoint News Feed
W
WeLiveSecurity
S
Schneier on Security
AI
AI
Schneier on Security
Schneier on Security
N
News and Events Feed by Topic
L
LINUX DO - 最新话题
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
Know Your Adversary
Know Your Adversary
Scott Helme
Scott Helme
V
Vulnerabilities – Threatpost
Cyberwarzone
Cyberwarzone
I
Intezer
S
Securelist
Help Net Security
Help Net Security
Microsoft Security Blog
Microsoft Security Blog
量子位
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
小众软件
小众软件
Last Week in AI
Last Week in AI
Jina AI
Jina AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
WordPress大学
WordPress大学
罗磊的独立博客
月光博客
月光博客
雷峰网
雷峰网
A
About on SuperTechFans
The GitHub Blog
The GitHub Blog
T
The Blog of Author Tim Ferriss
MongoDB | Blog
MongoDB | Blog
大猫的无限游戏
大猫的无限游戏
博客园 - 司徒正美
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events

GRAHAM CLULEY

Anubis ransomware: what you need to know Smashing Security podcast #476: Remote-control rickshaws and rogue book marketers The ransomware negotiator who was working for the other side Invited to a "job interview" with Netflix or OpenAI? Beware! Your Google password could be at risk Smashing Security podcast #475: JadePuffer - the AI that ran a ransomware attack all by itself Two arrested over credit card phishing - as the Netherlands is named Europe's worst for payment fraud The Gentlemen ransomware: what you need to know Smashing Security podcast #474: Polymarket can predict the future. So how did it miss this hack? Scammers race to cash in on Venezuelan earthquake disaster USB drives carrying China-linked malware infected Japanese military networks for nearly a year Smashing Security podcast #473: How a hacker could have Rickrolled the entire World Cup Hacker hijacks Brazil's national alert system, sending "misanthropy" to millions of phones Apple's Hide My Email tweak leaves privacy fans fuming Imposter scams cost Americans $3.5 billion in 2025 – and it’s getting worse Smashing Security podcast #472: AI gets hacked, and BitLocker gets bypassed Maine forced to take down data breach portal after fake notices filed with authorities Privacy own-goal: World Cup blunder leaks Lionel Messi's passport details Silent Ransom Group: what you need to know Smashing Security podcast #471: This AI worm just rewrote its own rules Why schools remain one of cybercriminals' favourite targets Got a LinkedIn message from a recruiter? It might be Chinese intelligence, warn FBI and MI5 Meta’s own AI chatbot to blame for Instagram accounts being stolen in seconds Smashing Security podcast #470: This AI security flaw might be impossible to fix Police arrest man following hack of Ajax football club MyPillow listed on ransomware gang's leak site, but denies it has been breached Smashing Security podcast #469: What your Oura ring won’t tell you FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts — no password required Defenders fall behind, as AI rewrites the rules of a data breach Smashing Security podcast #468: High-speed train hacks and homicidal lawnmowers FBI warns students and staff that ShinyHunters may come knocking after Canvas breach Suspected Dream Market kingpin arrested after gold bars sent to his home address When ransomware gets physical: cybercriminals turn to threats of violence Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities One in eight UK workers has sold their company passwords, and bosses think it’s fine Inside Department 4: Russia's secret school for hackers Sri Lanka makes 37 arrests as it raids another scam centre Smashing Security podcast #466: Meta sees everything, Copy Fail, and a deepfake gets hired Teenager alleged to be Scattered Spider hacker arrested in Finland, faces US extradition Iran-linked Handala hackers leak US Marines data, send chilling WhatsApp threats Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions Alleged Silk Typhoon hacker extradited to the United States to face charges French police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches Smashing Security podcast #464: Rockstar got hacked. The data was junk. The secrets it revealed were not Singer loses life savings to fake wallet downloaded from the Apple App Store Sometimes changing the password on your email mailbox isn’t enough 108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users AI and cryptocurrency scams are costing Americans billions, FBI reports Life imprisonment for Cambodian scam compound operators - but will it make a difference? Nigerian romance scammer jailed after being caught out by fellow fraudster Alleged RedLine malware developer extradited to United States Iranian hackers breach FBI director's personal email, and post his CV and photos online World Leaks data extortion: What you need to know How one man used 10,000 bots to steal $8,000,000 from music artists Denver's crosswalks hacked to broadcast anti-Trump messages LeakNet ransomware: what you need to know Free parking in Russia after Distributed Denial-of-Service attack knocks city's parking system offline Fraudsters are using public planning records to target permit applicants Your Signal account is safe - unless you fall for this trick Twitter suspended 800 million accounts last year — so why does manipulation remain so rampant? How hackers bypassed MFA with a $120 phishing kit - until a global takedown shut it down They seized $4.8m in crypto... then gave the master key to the internet
Google's Gemini lets strangers send messages from your locked Android phone
Graham CLULEY · 2026-07-18 · via GRAHAM CLULEY

Gemini, Google's AI assistant, is supposed to make life easier for Android smartphone owners. But right now it may also be making life easier for anyone anyone who happens to pick up your phone.

As The Register reports, Google is working on a fix for a vulnerability that allows an attacker with physical access to a locked Android 16 device to use Gemini to send SMS messages and WhatsApp texts, without ever needing to enter a PIN.

So, imagine the scene. Someone gets hold of your locked Android phone and, despite not knowing your security PIN, they can send messages via SMS or WhatsApp pretending to come from you.

The Register says that it has received multiple reports since May of how it is possible to bypass authentication on Android 16 devices that have enabled Gemini access from the lock screen.

In May 2026, a security researcher published a write-up describing how they had reproduced the problem on a fully patched Pixel 6a, using Gemini's Deep Research feature as the entry point.

It is clear that Google has patched Gemini lock screen issues before, but security researchers keep finding new ways through.

The latest vulnerability is different from the previous similar Gemini-based Android lock screen bypass bugs that have been plaguing the operating system since September 2025.

This latest exploit requires a specific multi-touch gesture. When Android devices have revoked Gemini's access to apps like Messages, and someone tries to send an SMS via Gemini on the lock screen, the user is prompted to enter a PIN. However, when "Continue" is pressed simultaneously with Gemini's "Add attachment" button, the device allows the SMS to be sent without any authentication.

An attacker can then enable Gemini's access to other previously disconnected apps. All they have to do is invoke the relevant prompt by - for instance - typing "@WhatsApp" in Gemini's text window. Once again, no PIN is requested or required.

What makes this particularly sneaky is that the changes are not temporary. If a victim later unlocks their phone and checks their Gemini settings, they will find that WhatsApp has been connected to Gemini, even though no PIN was ever entered.

Of course, exploiting a vulnerability like this does require physical access to a vulnerable Android device. This is not an attack which can be carried out by a remote hacker. But, as we all know, it is all too common for a device to be left unattended, or snatched from a bag, or handed to someone you think you can trust.

A spokesperson at Google told The Register that this new bug is known about, and that a fix is scheduled to be rolled-out this week. But in the meantime, you would be wise to restrict what Gemini can access from your lock screen.

To do that:

  • Open the Gemini app, tap your profile picture, go to Settings, and select "Gemini on lock screen."
  • Turn off "Use Gemini without unlocking" entirely, or (if you are not comfortable with that) disable "Make calls and send messages without unlocking."

Google will no doubt patch this particular bug. But the underlying problem is still present. Every new capability Gemini is given at the lock screen is also a new potential attack surface. The more useful your AI assistant becomes without you needing to unlock your phone, the harder it becomes to guarantee that only you can use it.