A reported Android 16 vulnerability could allow Gemini to send an SMS from a locked phone without completing PIN verification. The issue is significant because the normal authentication prompt can reportedly be bypassed through a specific sequence of interface actions.
The reported scenario requires physical access to a device that remains locked. It is not described as a remote attack, but it could affect the protections expected when a phone is in another person’s hands.
A video demonstration shows Gemini initially requesting a PIN when asked to send a message from the lock screen. The verification step reportedly changes when the add-attachment button is pressed at the same time as the Continue button.
That combination is said to bypass the verification screen and allow the SMS process to continue. The behavior is classified as an authentication bypass, also known as a lock-screen bypass.
Normal Protection and Reported Behavior
Gemini can be accessed from the lock screen to support quick actions without requiring a user to fully open the device. That convenience places added importance on ensuring that every action involving messages or apps remains protected by the same authentication boundary.
| Function | Expected Protection | Reported Result |
|---|---|---|
| SMS sending | Gemini asks for a PIN | The message can proceed without PIN verification |
| WhatsApp access | Access was disabled in Gemini settings | Access can be enabled again in the demonstration |
The reported concern goes beyond a missing PIN prompt on a single screen. It suggests that an interface transition may allow a protected action to continue even while the phone has not been unlocked normally.
The demonstration also reportedly shows WhatsApp access being enabled again through Gemini. This is notable because that access had previously been disabled in the assistant’s settings.
App Restrictions May Be Affected
The WhatsApp element raises questions about restrictions that users set for app access through Gemini. If the reported flow can change those restrictions while a device is locked, the potential impact extends beyond sending one text message.
Disabling an app integration is intended to limit what an assistant can do on behalf of the user. The case indicates that a setting alone may not provide sufficient protection if the authentication flow contains a weakness.
According to GSMArena, the vulnerability was reported in May and affects Android 16. Google is said to be aware of the issue, with a fix reportedly in development.
There is no confirmed information identifying every affected device or Android interface. The report indicates that the matter is not limited to Pixel devices.
A Security Boundary Under Pressure
Lock-screen bypass issues are not unique to Android, but this case involves a different route through a digital assistant and its app permissions. When an assistant can receive commands before a device is unlocked, each button, prompt, and transition must preserve the same security rules.
Modern software combines the operating system, lock screen, AI assistant, and individual app permissions in many possible user flows. A flaw in one of those interactions can weaken the security boundary maintained by the others.
The scope of affected devices remains unclear while a fix is being prepared. For Android 16 users who rely on Gemini from the lock screen, the report highlights why rapid assistant actions must remain subject to verification that cannot be bypassed.
Source: www.gsmarena.com






