• 2 min read
Android 16 bug lets Gemini send texts from lock screen
Google says a fix is rolling out this week for an Android 16 lock-screen bug that can let Gemini send SMS or WhatsApp messages without a PIN.

Image: The Register
A lock-screen bug in Android 16 can let someone with physical access to a phone use Gemini to send SMS or WhatsApp messages without entering the device PIN. Google told The Register it is aware of the issue and has already implemented a fix, with full deployment scheduled this week.
According to the report, The Register has received multiple reports since May involving Android 16 devices that have Gemini access enabled from the lock screen. The publication says these are separate from similar Gemini-based Android lock-screen bypass flaws that have circulated since September 2025.
The reported exploit hinges on a specific multi-touch gesture. When a device owner has revoked Gemini’s access to an app such as Messages, Gemini on the lock screen will ask the user to open the app if someone tries to send a text. Tapping “Continue” should trigger a PIN prompt. But if “Continue” is pressed at the same time as Gemini’s “Add attachment” button, the phone may allow the message to be sent anyway, without authentication.
From there, the report says, an attacker can reconnect Gemini to other apps that were previously disabled in Settings. One example given is entering “@WhatsApp” in the Gemini text box to restore access, again without a PIN. After the owner later unlocks the phone correctly, Settings may show that WhatsApp is connected to Gemini even though the expected authentication step never happened.
The flaw requires physical access to the device. Still, The Register argues it deserves attention given current levels of phone theft, particularly in the UK, and the possibility of using a stolen phone to send convincing messages in scams.

Recommended reading
One in six PCs still run Windows 10
A Google spokesperson told the publication the bug is not Pixel-specific. The company did not say which manufacturers, models, or versions are affected, and some users reportedly could not reproduce the issue on Samsung devices.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via The Register


