WhatsApp, Slack Notifications Risk Hijacking Google Gemini on Android

Recent research has unveiled a significant vulnerability in Google Gemini’s voice assistant on Android devices. A single compromised notification from popular messaging platforms such as WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could potentially hijack the assistant, allowing it to perform actions like opening connected windows, fabricating messages from contacts, initiating Zoom calls, or even corrupting its long-term memory. This alarming discovery underscores the critical need for enhanced security measures in voice-activated technologies.

The Nature of the Vulnerability

The research conducted by Or Yair from SafeBreach illustrates a concerning flaw in how Google Gemini processes notifications. Unlike traditional malware, this exploit does not require any malicious applications to be installed on the victim’s device. Instead, the voice assistant interprets hostile notifications as useful context, creating an avenue for attackers to manipulate its functionalities.

Yair’s findings follow earlier work that demonstrated similar vulnerabilities through malicious Google Calendar invites, prompting Google to implement defenses against indirect prompt injection. However, Yair successfully identified a method to bypass these new security measures, leading to a patch from Google. Notably, SafeBreach has not assigned a Common Vulnerabilities and Exposures (CVE) identifier to this issue, and there is currently no evidence that this technique has been exploited in real-world scenarios.

Technical Mechanisms of the Attack

The vulnerability is particularly pronounced on Android, where Gemini’s Utilities feature can read and respond to notifications from various applications. This capability is not available on iOS or web platforms, making the attack vector exclusive to Android users. Yair noted that the agent responsible for reading notifications treats the text as actionable instructions, creating what he termed an “effectively infinite” attack surface.

This flaw allows attackers to manipulate the assistant’s spoken output, potentially fabricating messages from trusted contacts. For instance, while driving, a user might hear, “Your manager asked you to upload the docs to this Drive folder,” making it difficult to question the authenticity of the message. In a more insidious version of the attack, the malicious payload can execute after Gemini has processed legitimate notifications, allowing it to falsely attribute messages to real senders.

Bypassing Security Measures

Yair’s research revealed a bypass technique he named Fake Context Alignment, which operates by creating two layers of deception. The first layer involves obfuscating the authorization question in a language unfamiliar to the victim, such as Chinese, while following up with a benign English phrase. This tactic can lead users to dismiss the foreign phrase as a glitch, unwittingly approving the malicious action.

The second layer exploits Gemini’s text-to-speech functionality, which fails to vocalize hyperlinks embedded in clickable text. This allows the malicious question to be concealed within a link that the assistant does not read aloud. As a result, a user might respond affirmatively to a seemingly innocuous prompt while inadvertently authorizing harmful actions.

Potential Impacts of the Exploit

The implications of this vulnerability extend beyond mere message manipulation. The attack can facilitate various malicious activities, including:

• Smart Home Control: Unauthorized access to connected devices like windows, lights, and heating systems through Google Home.
• Tracking and Downloads: Opening URLs that could geolocate victims by IP address or initiate file downloads.
• Cross-Application Interactions: In a demonstration, Yair redirected a benign-looking domain to a Zoom link, causing Gemini to join a meeting without user intervention. This was possible because Gemini had previously trusted the domain after it served legitimate content.
• Memory Poisoning: Unlike previous techniques, Fake Context Alignment can simulate user consent, allowing Gemini to permanently store manipulated information, such as changing a victim’s name to “Danny.” This altered memory persists across devices linked to the same account.
• Scheduled Actions: Attackers could set recurring tasks, such as reading recent messages at specific times.

SafeBreach reported these findings to Google’s Vulnerability Reward Program on August 17, 2025. Google prioritized the issue and confirmed on November 14, 2025, that improvements to content classification had mitigated the risks associated with notification injections and the Delayed Tool Invocation bypass.

Mitigation and User Control

The resolution for this vulnerability is server-side, meaning users do not need to update their applications manually. However, users can control whether Gemini reads notifications by disconnecting the Utilities feature in the app’s settings or disabling the “Notification read, reply & control” permission within the Google app on Android.

As voice-activated technologies continue to proliferate, the need for robust security measures becomes increasingly critical. This incident highlights the vulnerabilities inherent in systems that rely on user-generated content and the importance of ongoing vigilance in cybersecurity practices.

Source: thehackernews.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.