Poisoned WhatsApp, Slack alerts could hijack Google Gemini

Researchers at SafeBreach showed that a single poisoned notification from apps such as WhatsApp, Slack, SMS, Signal, Instagram or Messenger could have hijacked Google Gemini’s voice assistant on Android. The attack required no malicious app to be installed and relied on Gemini’s ability to read and reply to notifications.

The issue affected Gemini’s Utilities feature on Android, which can access and act on notification text. Utilities is not available on iOS or the web, so the technique was limited to Android devices where the Google app has the notification read and reply permission.

SafeBreach researcher Or Yair described a bypass he calls Fake Context Alignment. The technique uses two simultaneous elements: a machine-facing authorization that satisfies server-side checks and a harmless spoken exchange that the user hears. In tests the real authorization prompt was hidden inside a link or presented in a language the user did not understand, while Gemini’s text-to-speech produced a benign English sentence. When the user replied with a simple confirmation, the backend associated that reply with the hidden authorization and allowed the requested action.

In demonstrations, the team used the method to trigger a range of actions that Gemini’s earlier fixes were intended to block. The assistant was manipulated to control Google Home devices, including opening windows and toggling boilers and lights. The researchers also opened URLs that could reveal the device’s IP address, pushed file downloads, followed a domain redirect that launched the Zoom app and forced a call, and wrote attacker-chosen entries into Gemini’s long-term memory. The memory changes were account-level, meaning a poisoned fact would appear across devices using the same Gemini account. The group also showed persistence through scheduled tasks, such as instructing Gemini to read a victim’s messages at a set time each day.

SafeBreach reported the findings to Google’s Vulnerability Reward Program on August 17, 2025. Google implemented server-side content-classifier changes and confirmed on November 14, 2025 that the notification injection and the related Delayed Tool Invocation bypass were mitigated. The fix was applied on Google’s servers, so no app update was required. SafeBreach lists no CVE for the issue and there is no evidence the technique was used in the wild.

Users who want to reduce exposure can stop Gemini from reading notifications by disabling the Utilities app in Gemini’s Connected Apps settings or by turning off the Google app’s “Notification read, reply & control” permission in Android settings. Google’s server-side changes aim to block similar notification-based injections, and the vulnerability is no longer present for accounts covered by those updates.