Never store your keys on client side. For now the best option is to revoke your keys.
If you’ve been collecting diagnostics, usage info correctly from your app, it can tell you which of your customer(s) have figured out access to the API key. Not saying that it’ll be of help, but you can then disable access for those customers to your app.
Good luck.