The European Commission issued an order this week requiring Google to extend to rival AI assistants the same deep system access that its own Gemini assistant currently enjoys on Android devices. The mandate covers some of the most sensitive capabilities a mobile operating system can expose.

Under the order, competing AI assistants must gain access to:

  • The device camera and microphone
  • Whatever content is currently displayed on screen
  • Wake word detection that functions even when the display is off
  • The ability to drive other applications in the background by simulating taps and keyboard input

Google is required to ship this parity in Android 18, the platform’s next major release, with full compliance mandated no later than 1 August 2027.

Why It Matters for Security Teams

Granting third-party AI assistants always-on microphone access, background screen reading, and the power to simulate user input on other apps meaningfully expands the Android attack surface. Any assistant with these permissions effectively gains capabilities historically reserved for the platform’s built-in, tightly sandboxed system processes.

For enterprises managing fleets of Android devices, this raises immediate questions around mobile device management (MDM) policy, app vetting, and data governance. An assistant that can read on-screen content and inject synthetic input into other apps could, if compromised or maliciously designed, be repurposed for credential theft, unauthorized data exfiltration, or fraudulent transactions performed on the user’s behalf without their direct interaction.

The order does not specify the security or vetting requirements Google must impose on third-party assistants seeking this level of access, nor does it detail what audit or permission controls will accompany the rollout. Security teams should watch for Google’s implementation guidance as Android 18 approaches, particularly around consent flows, permission scoping, and whether enterprise MDM tools will retain the ability to restrict or disable this expanded access on managed devices.

As with prior EU interoperability mandates, the practical security implications will depend heavily on the technical safeguards Google builds into the compliance framework, details that have not yet been made public.