Cybersecurity researchers have disclosed details of a vulnerability that could have allowed malicious notifications from applications such as WhatsApp, Slack, SMS, Signal, Instagram, and Messenger to manipulate Google Gemini on Android devices and trigger unauthorized actions. According to research published by SafeBreach, a single poisoned notification could potentially influence Gemini’s voice assistant capabilities without requiring a malicious application to be installed on the targeted device. Researchers explained that the issue emerged because Gemini could interpret hostile notifications as trusted context, potentially allowing attackers to manipulate assistant behavior in ways ranging from opening connected smart home systems to altering long term memory settings linked to a user’s account. Google has since patched the issue, and researchers stated there is currently no evidence suggesting the technique was used in real world attacks.
The findings build on earlier SafeBreach research known as “Invitation Is All You Need,” which demonstrated how malicious Google Calendar invites could indirectly manipulate Gemini through prompt injection methods. Following those earlier disclosures, Google reportedly strengthened Gemini’s defenses against indirect prompt injection attacks. However, SafeBreach researcher Or Yair identified a method to bypass those mitigations through Gemini’s Utilities feature on Android, which enables the assistant to read and respond to notifications from supported applications including WhatsApp. Researchers noted that this feature is not available on iOS or web based versions, limiting exposure to Android devices. According to the findings, Gemini’s notification reading agent reportedly interpreted notification content as instructions capable of influencing system behavior, creating what researchers described as an effectively unlimited attack surface because any service capable of sending a notification could theoretically deliver a malicious payload.
Researchers explained that attackers could manipulate Gemini into presenting false information to users, including impersonating trusted contacts or workplace figures. For example, a malicious notification could reportedly cause Gemini to verbally claim that a manager had requested documents to be uploaded to a file sharing platform, creating opportunities for deception particularly when users rely on voice interactions while driving or multitasking. Researchers also demonstrated more advanced bypass techniques referred to as Fake Context Alignment, where Gemini could be tricked into authorizing sensitive actions through misleading prompts. One method involved displaying authorization questions in foreign languages while presenting harmless English responses to users, increasing the likelihood of accidental approval. Another technique reportedly exploited how Gemini’s text to speech system ignored hyperlinks hidden behind clickable text, enabling attackers to conceal sensitive authorization requests while verbally presenting harmless messages. According to researchers, combining these approaches could enable malicious prompts to bypass Gemini’s post mitigation authorization checks.
Beyond misleading outputs, SafeBreach researchers said the vulnerability could potentially trigger real actions through connected applications and smart home environments. Demonstrations reportedly included opening connected windows, controlling household devices through Google Home integrations, launching application links, and forcing Android devices into Zoom meetings through manipulated redirects. Researchers also highlighted the possibility of “memory poisoning,” where attackers could permanently store false information inside Gemini’s account level memory, allowing manipulated details to follow users across devices linked to the same Google account. Additional risks included creating recurring scheduled actions capable of accessing recent messages at fixed intervals. SafeBreach disclosed the findings to Google’s Vulnerability Reward Program in August 2025, after which Google classified the issue as high priority and confirmed in November 2025 that server side protections and content classification improvements had mitigated notification injection and delayed tool invocation techniques. Since the protections were implemented through server side updates, users are not required to install application updates, although researchers noted that Android users can reduce exposure by disabling Gemini notification reading permissions through Connected Apps settings.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
