Introduction

Earlier this year, I discovered a critical security flaw in the Android Lock Screen that shocked even me when I first reproduced it. The vulnerability allowed lock screen bypass and unauthorised access to Google accounts, Gemini data, and even connected apps, all without requiring a PIN, password, or biometric input.

In this post, I will walk through:

• How I discovered the bug
• Steps to reproduce (in simplified terms)
• Real-world abuse scenarios
• My coordinated disclosure with Google
• Key lessons for the security community

The Discovery

The bug emerged from a subtle race condition occurring between Bixby (Samsung’s assistant) and the on-screen keyboard navigation toggle. On non-Samsung devices, the same flaw could be triggered directly via Google Gemini assistant activation.

This revealed a serious oversight: Android 14’s lock screen protections could be bypassed through mere UI manipulation no malware, no rooting, no advanced exploitation.

Vulnerability Summary

Title: Lock Screen Bypass via Gemini & Keyboard/Bixby Race Condition
Impacted Platforms: Android 13, 14, 15 (reproduced on Samsung Galaxy S23 FE, Pixel 7 Pro, and likely other devices)
Severity: High / Critical

Exploitation Steps (simplified)

1. Invoke the assistant on the lock screen
   • Samsung: Long-press Power → Bixby.
   • Pixel/Other: Long-press Power → Gemini.
2. Trigger Race Condition (Samsung-only)
   • Rapidly alternate between the spacebar and the keyboard icon.
   • Gemini UI pops up before lock validation.

(Pixel and other Android devices: no race needed, direct Gemini popup already works)

3. Gemini Interaction on Lock Screen
   • Type a message, then stop its response → Gemini context unlocked.
   • Now UI elements (flag/report, profile icon, etc.) are clickable despite the lockscreen.
4. Privilege Escalation
   • Long press the flag button + tap profile icon → Switch/access all Google accounts on device.
   • Tap “+” plus chat icon simultaneously → Full Gemini chat history exposed.
   • Access Gemini settings → Enable options like “Make calls & send messages without unlocking”.
5. Extended Exploits
   • Send WhatsApp/SMS/calls directly.
   • Interact with Gmail (compose drafts).
   • Export Gemini-generated reports to Drive/Docs, draining available storage.
   • Trigger Gemini Live → access camera & mic session from locked device.
   • Interact with Smart Home appliances via Gemini.

At this point, the phone is essentially “open” without ever touching the PIN/password.

Proof Of Concept (POC) :

Security Impact

The vulnerability impacted all three classic pillars of security (CIA):

• Confidentiality: Private emails, Gemini history, contacts, and WhatsApp messages were exposed.
• Integrity: Attackers could send messages, create Google Docs, or even interact with smart appliances.
• Availability: By abusing Gemini’s content generation and export features, cloud storage quotas (such as Google Drive’s 15GB) can be quickly exhausted.

Coordinated Disclosure

I reported the issue to Google’s Vulnerability Reward Program (VRP) in March 2025. The coordination journey was constructive and collaborative, involving multiple follow-ups with Google’s Trust & Safety, Product Security, and Abuse teams.

The teams acknowledged the issue, filed it for remediation, and provided me with a generous reward as part of the program. More importantly, they ensured the flaw was addressed responsibly within the ecosystem.

Responsible Disclosure Timeline

• Mar 20, 2025: Initial report filed.
• Mar–Apr 2025: Triaged, confirmed, fully accepted.
• Apr–Jun 2025: Additional abuse scenarios documented and validated.
• Jul–Aug 2025: Acknowledgement, remediation process, and preparation for disclosure.
• Sept 10, 2025: Public disclosure with PoC demonstration.

Conclusion

This vulnerability demonstrates how even simple input-handling flaws can erode core trust boundaries in mobile devices. A locked Android 14 phone was anything but secure, with Gemini effectively handing attackers a backdoor to sensitive data. Through constructive collaboration with Google’s VRP team, the vulnerability was acknowledged, and I received a fair monetary reward for the finding. Most importantly, fixes are being prioritised to prevent real-world exploitation.