If you’re currently using an AI app on your Google Pixel, Samsung, or any Android phone, you might want to reconsider your app usage.
Recently, a security investigation has uncovered alarming vulnerabilities across thousands of AI-powered Android apps, raising serious concerns about user data safety on the Google Play Store.
Researchers analyzed 1.8 million Android apps, focusing on those that actively promote artificial intelligence features, and the results reveal a systemic problem, not isolated developer mistakes.
Widespread Hardcoded Secrets in AI Apps
Growtika/Unsplash
Cybersecurity researchers identified 38,630 Android apps claiming AI functionality and examined their source code for exposed credentials. Nearly 72% of these apps contained at least one hardcoded secret, with affected apps leaking an average of 5.1 secrets each.
In total, the study uncovered more than 197,000 unique exposed credentials. For users, it’s hard to detect what’s wrong with the apps right away, but for experts, this highlights how coding practices that are not secure remain embedded in the ecosystem.
Read more:
Is Two-Factor Authentication Overrated? Here’s Why it’s Not Enough Anymore
Google Cloud and Firebase Data at Risk
Over 81% of all leaked secrets were linked to Google Cloud services, including API keys, project IDs, Firebase databases, and storage buckets. While many references pointed to inactive infrastructure, thousands remained live.
Researchers found 8,545 active Google Cloud storage buckets, hundreds of which were publicly accessible and potentially exposed more than 200 million files, roughly 730TB of data.
Even more concerning, 285 Firebase databases lacked any authentication, leaking at least 1.1GB of data. In nearly half of these cases, evidence suggested prior attacks had already occurred, yet many databases remained unsecured.
Payments and User Data Exposed
Although leaked large language model API keys were relatively rare, some of the most critical exposures involved live payment systems, according to TechRadar.
Researchers discovered leaked Stripe secret keys capable of granting full control over transactions.
Other compromised credentials enabled access to analytics, communications, and customer data platforms, allowing attackers to impersonate apps or extract sensitive user information.
Related Article:
Best Password Managers That Every Android User Should Try in 2026