Leaked Google API Keys Abused

Attackers are pulling Google API keys out of Android apps and using them to run Gemini artificial intelligence jobs on other people’s cloud accounts. (cloudsek.com) CloudSEK said on April 7 that it found 32 hardcoded Google API keys in 22 Android apps with a combined install base above 500 million. SecurityWeek reported the same findings on April 9 and said the exposed keys could reach all Gemini endpoints. (cloudsek.com) (securityweek.com) A Google API key is a project credential, like a building badge for software, and developers long used these keys in apps for services such as Maps and Firebase. CloudSEK and Quokka said that changed once Gemini was enabled inside the same Google Cloud project, because old keys could suddenly call billable artificial intelligence services. (cloudsek.com) (quokka.io) CloudSEK said attackers can decompile an Android app, copy the exposed key, and send requests to Gemini’s files, cached content, and model endpoints. Quokka said extracting those keys requires minimal skill because Android packages can be unpacked and searched with simple tools. (cloudsek.com) (quokka.io) The bills can move fast. Yahoo Tech, citing CloudSEK’s reporting, described one solo developer who shut off a leaked key within minutes but still saw charges reach $15,400 because of billing lag, a company in Japan that lost about $128,000, and a team in Mexico that saw $82,314 in unauthorized usage in 48 hours. (tech.yahoo.com) Researchers said the exposure is not limited to cloud spending. CloudSEK said a stolen key can also expose uploaded files and cached prompts, and Yahoo Tech reported that researchers were able to access user-submitted audio files in the language-learning app ELSA Speak through the Gemini Files application programming interface. (cloudsek.com) (tech.yahoo.com) The mobile app findings followed a broader web scan from Truffle Security in February. Truffle said it found 2,863 live Google API keys on the public internet that could authenticate to Gemini, and The Hacker News reported that new keys in Google Cloud defaulted to “Unrestricted,” making them usable across enabled application programming interfaces in the same project. (trufflesecurity.com) (thehackernews.com) Google’s current documentation says publicly exposed API keys can lead to “unexpected charges” and “unauthorized access to your data.” The company’s guidance tells developers not to include keys in client code, to add key restrictions, to delete unused keys, and to monitor usage through Cloud Monitoring and Cloud Logging. (docs.cloud.google.com) That leaves developers rotating keys that used to be treated as low-risk identifiers and auditing projects where Gemini was switched on later. In this case, a string that once worked like a public label now behaves like a credit card number with a model attached. (cloudsek.com) (docs.cloud.google.com)