EU order opens Android mic, cam, screen to rival AI agents
EC ordered Google to open Android's mic, camera, screen, and always-on hotword to rival AI assistants — mandatory in Android 18 by 1 August 2027.
Confirmed: the European Commission on Thursday ordered Google to give rival AI assistants the same reach into Android that Gemini already has — camera, microphone, on-screen content, an always-on hotword that fires with the display off, and background app control by imitating taps and typing. Deployment is mandatory in Android 18, deadline 1 August 2027. Confidence: high on the mandate itself; unassessed on second-order attack surface, which is the point of this piece.
The timeline the Commission wrote
- 1 February 2027 — draft programme terms due from Google.
- 1 May 2027 — final terms locked, third-party applications open.
- 1 August 2027 — mandatory deployment in Android 18.
- 1 August 2028 — concurrent hotword support (multiple assistants listening at once) deferred to Android 19.
Everything before that first date is procedural. The load-bearing decisions are the ones Google will draft between now and February.
What Google has to expose
The Commission’s structure is a Qualified AI Assistant Programme (QAAP) — free third-party certification through Trusted Certification Authorities. Google writes the certification requirements. The Commission approves them. Testing is capped at four categories: user intent confirmation, data minimisation, baseline security, and what the decision calls “agentic risk” hardening.
Five features require certification before a rival can ship into them. Six do not — and the six include ambient camera and microphone access and always-on hotword detection. That is the security-relevant asymmetry in the ruling. The capabilities that indirect prompt injection would want most — the ones that let an assistant see, hear, and be woken by an attacker-controlled utterance — are the ones the QAAP does not gate behind certification. Confidence on that framing: high, drawn directly from the decision text as summarised by The Hacker News.
Google’s stated objection
Google Chief Legal Officer Kent Walker said the order “threatens device security by granting external apps sensitive and powerful device permissions.” Confidence on the quote: high. Confidence on the underlying claim: as-argued — Google is a party with an obvious interest, but the technical concern is not manufactured.
The Commission’s own decision cites SafeBreach’s 2025 work demonstrating indirect prompt injection against Gemini’s Android agent through notification content — an attacker plants a payload in a notification the user never taps, and Gemini processes it as instruction on the next agent-triggered action. The Commission cites this as prior art proving the risk is real, and treats it as a reason to certify rather than to withhold. Read that as the regulator’s revealed preference: they judge the competition harm from a single trusted broker to be larger than the marginal attack surface from N brokers holding the same capability. That is a policy judgement, not a technical one.
What actually changes for defenders
Nothing operationally today. Android 18 does not ship for another twelve months. The mandate is not retroactive to current Android versions. No new CVE, no new patch, no advisory to feed into a ticket queue.
What to watch, in order:
- The draft QAAP terms in February 2027. Specifically: what does the certification’s “baseline security” bar require, and what does “agentic risk” testing actually look like? Those two phrases are load-bearing for the entire framework and they have not been written yet. If either lands weak, every certified assistant becomes an in-band route to the exact capability set — mic, camera, screen contents, wake word with the display off, tap-and-type impersonation — that already got compromised once against a single trusted broker.
- Google’s response between now and 1 February. No public confirmation yet on whether Google will appeal, seek modifications, or comply on the current timeline. Treat as pending; do not file it as either resistance or acquiescence.
- The hotword architecture in Android 19. Concurrent hotword — multiple assistants listening simultaneously — is deferred to August 2028, but the design decisions get made earlier. Whatever isolation model Google chooses between hotword processes is the thing that determines whether one compromised assistant can eavesdrop on another.
Prior coverage worth reading alongside this
- SafeBreach’s Gemini notification-injection is the same shape of problem as the Claude for Chrome trust boundary that Manifold documented last week — an AI agent reading attacker-controlled text as instruction rather than as data.
- Google itself is dealing with the misuse edge of the same family: Gemini CLI being repurposed as a hacking agent, Trend Micro’s writeup earlier this week.
- The PNG prompt-injection work against CodeRabbit and BugBot sits in the same failure class: privileged agent, attacker-controlled input surface, no meaningful separation.
Different vendors, same underlying failure. The EU has just voted to expand the affected surface by executive fiat. That is the fact; the operational consequence is a February 2027 document nobody has drafted yet.
Sources
Found this useful? Share it.