Google acknowledged a serious lock-screen flaw in Android 16 that lets anyone with physical access to a locked phone bypass the PIN and use Gemini to send SMS messages and activate WhatsApp messaging. The bug was reported on July 17, and Google says a fix is rolling out this week, but as of July 18, many devices remain unprotected.

A Specific Multi-Touch Gesture Exploited a Security Gap

The vulnerability affects Android 16 devices that have Gemini enabled on the lock screen with the “Make calls and send messages without unlocking” setting turned on—even after the user has revoked Gemini’s access to specific messaging apps. On a locked phone, an unauthorized person can send an SMS by pressing the “Continue” button (which normally triggers a PIN prompt) at the same time as Gemini’s “Add attachment” button. This multi-touch action bypasses the authentication check entirely and dispatches the message.

The Register first reported the flaw after multiple users and a security researcher documented the bypass since May 2026. On a fully patched Pixel 6a running Android 16, the researcher used Gemini’s Deep Research feature as an entry point to replicate the issue.

Even more concerning, the same technique can re-enable apps that the owner previously disconnected from Gemini. Typing “@WhatsApp” in Gemini’s text window at the lock screen triggers a connection flow without requesting the PIN—and the integration stays active. After the owner unlocks the device, Gemini settings show WhatsApp as connected, even though no authentication ever took place.

The flaw does not expose the device PIN or grant full app access, but it turns Gemini into an impersonation tool. An attacker who briefly handles the phone can send fraudulent messages that appear to come from the owner’s number, which is highly effective for scams, phishing, or social engineering.

Who’s Affected and What’s the Real Risk?

Anyone running Android 16 with Gemini enabled on the lock screen is vulnerable until the fix arrives. The risk is not theoretical: a lost or momentarily unattended phone can become a trusted channel for impersonation before the owner notices. A fake SMS from your number—asking a friend for money or a verification code—is far more convincing than a message from an unknown account.

The persistence of the WhatsApp connection adds a longer-term threat. If an attacker activates the integration, they can later initiate conversations even after the phone is returned, because Gemini treats WhatsApp as an authorized app.

For Windows users, the issue is particularly relevant because many rely on their Android phone for multi-factor authentication, staying connected with coworkers via WhatsApp or SMS, or accessing Microsoft Teams. An impersonated message could compromise not just personal but professional relationships. Windows administrators should consider how this kind of mobile lock-screen bypass could be used as a stepping stone in a targeted attack against their organization—especially when employees use personal devices for work.

IT and mobile device management teams may also need to reevaluate policies around Gemini and similar assistants. Even if corporate apps aren’t directly exposed, an attacker who can impersonate an employee through personal messaging can make phishing attempts look much more credible to help desks or colleagues.

A Timeline of Gemini Lock-Screen Flaws

This isn’t the first time Gemini has run into lock-screen security trouble. Bitdefender notes that similar bugs have surfaced since September 2025, with each one exploiting a new workflow while Google patches the old ones. The recurring theme: as Gemini gains more capabilities at the lock screen—calls, messages, app integrations—the attack surface expands, and authentication checks must cover every new path.

Google’s support documentation describes two separate lock-screen settings:
- Use Gemini without unlocking: allows general Q&A and non-sensitive tasks.
- Make calls and send messages without unlocking: a subset that permits communication actions.

The current bypass breaks the bond between these two. Even when a messaging integration was revoked and should require a fresh PIN, the multi-touch bug lets Gemini proceed anyway. The flaw isn’t a theoretical design weakness—it’s an execution failure in the code that enforces authentication.

How to Secure Your Android Device Right Now

Until Google’s fix reaches your device, the most effective defense is to restrict Gemini’s lock-screen permissions:

  1. Open the Gemini app, tap your profile picture, and go to Settings > Gemini on lock screen.
  2. Turn off “Make calls and send messages without unlocking.” This closes the immediate SMS and WhatsApp path.
  3. If you rarely use Gemini from the lock screen at all, disable “Use Gemini without unlocking” entirely. That removes the attack surface completely.
  4. After any future app update, revisit these settings to verify they remain off.
  5. Check connected apps in Gemini’s settings. Remove any integrations (like WhatsApp) you don’t need, especially if you didn’t authorize them yourself.

If your phone is lost or you suspect someone handled it, review sent-message histories and Gemini’s connected-app list immediately. Look for any messages you didn’t send or any newly activated services.

For organizations:
- Remind employees to turn off the risky Gemini setting on any Android device used for work.
- Use mobile device management (MDM) to restrict assistant features on corporate-owned devices, if possible.
- Strengthen social-engineering training: teach staff that messages from familiar numbers can still be fraudulent.

Looking Ahead: Lock-Screen AI Assistants Under Scrutiny

A patch is on its way, but the real lesson is about the architecture of lock-screen assistants. Every new convenience—making calls, sending messages, connecting apps—creates a new path that must be guarded with the same rigor as unlocking the phone itself. Windows users should watch for similar challenges as Microsoft integrates AI into its own lock-screen experiences, like Windows Copilot or phone-link assistants. The principle is the same: any action that can change state or send information on behalf of the user must be blocked by a hard authentication gate. Google’s bug shows that a single mistimed tap can defeat that gate—and that’s a design flaw the entire industry will need to learn from.