SafeBreach researcher Or Yair demonstrated an indirect prompt injection technique against the Google Gemini voice assistant on Android, where a single malicious notification from WhatsApp, Slack, Signal, Instagram or another messenger could tamper with the assistant’s responses, control smart-home devices, initiate Zoom calls, and poison the model’s long‑term memory. Installing malicious apps on the victim’s device was not required — it was enough that Gemini processed incoming notification text as context for executing instructions. Google assigned the issue a high priority and confirmed that it had been fixed with server-side patches in November 2025. There is no evidence of exploitation in real‑world attacks.
Attack vector and affected products
The vulnerable functionality is tied to the Utilities component in Gemini on Android, which allows the assistant to read and reply to notifications from third‑party apps. This feature is unavailable on iOS and in the web version, making the attack vector specific to Android. According to the researcher, the agent handling notifications interpreted their textual content as executable instructions, which created what Yair described as a “virtually infinite” attack surface: any source capable of sending a notification to the phone could deliver a malicious payload.
Affected products:
- Google Gemini on Android (voice assistant)
- Gemini Utilities feature (notification reading)
- Google app on Android (permission to read and manage notifications)
No CVE identifier has been assigned for this issue. Exploitation status — a public PoC (proof of concept) is available; no confirmed exploitation in the wild has been recorded.
Bypassing protections: the Fake Context Alignment technique
Yair’s work builds on an earlier SafeBreach study titled “Invitation Is All You Need,” in which similar attacks were carried out via malicious Google Calendar invitations. After that publication, Google strengthened Gemini’s defenses against indirect prompt injections. Based on black‑box testing, the researcher found that when authorizing sensitive actions (for example, opening a smart‑home window), the system matched the user’s “Yes” response against Gemini’s last output, checking for logical consistency. A direct injection of a deferred instruction was blocked every time.
To bypass this protection, Yair developed a technique he called Fake Context Alignment, which simultaneously creates two illusions — one for the security system and another for the user:
- Language-based obfuscation. Gemini asks the real authorization question in a language the victim does not understand (for example, in Chinese: “Do you want to open the window?”), and then in English says something innocuous such as “Is that all you need?”. The user perceives the phrase in the unfamiliar language as a glitch, replies “Yes,” and the system binds this consent to the hidden question.
- Speech suppression. Gemini’s text‑to‑speech (TTS) engine skips hyperlinks hidden behind clickable text. The malicious authorization question is embedded in a link that the assistant does not read aloud. On the screen, “Do you want to open the window?” is displayed, while Gemini’s voice says: “Sorry, an error occurred, are you there?”. A user driving a car, without looking at the screen, says “Yes” — and the security check treats the action as authorized.
According to the researcher, combining both approaches — an authorization question in a foreign language, hidden inside a non‑spoken link — allowed him to bypass Google’s latest checks while preserving for the user the appearance of a normal English‑language dialogue.
Demonstrated impact
According to SafeBreach, after overcoming the authorization barrier the researcher demonstrated the following impact scenarios:
- Smart‑home control via Google Home — opening connected windows, controlling boilers and lighting.
- Geolocation and file download — opening URLs to determine the victim’s location by IP address or to initiate file downloads.
- Pivoting into other apps. In the demo, a benign domain was redirected to a Zoom application link, and Gemini reportedly followed the redirect without an additional prompt, forcing the phone to join a video conference. SafeBreach emphasizes that their own domain did not redirect to Zoom — the redirect was performed on a local server on the test device.
- Memory poisoning. Unlike the earlier calendar research, Fake Context Alignment made it possible to simulate user consent to saving data. Gemini stored an attacker‑imposed fact (in the demo — the victim’s name as “Danny”). Since Gemini’s memory is reportedly tied to the account, the poisoned data follows the victim across all devices using the same Google account.
- Persistence through scheduled actions — for example, a daily task to read the victim’s latest messages at 8:00 p.m.
Impact assessment
The highest risk is to Android users who have enabled notification reading in Gemini, especially in hands‑free scenarios (driving, physical activity) where the user does not see the screen and relies solely on voice output. Spoofing messages from the victim’s contacts — for example, a fake request from a manager to upload documents to a specified folder — poses a direct threat to corporate security and enables social‑engineering attacks. Account‑level memory poisoning potentially extends the impact beyond a single device.
Recommendations
The fix was implemented server‑side — no app update is required. According to SafeBreach, on 14 November 2025 Google confirmed that improvements to the content classifier had eliminated both notification‑based injections and the bypass of deferred tool invocation. Nevertheless, to reduce residual risk it is recommended to:
- Disable the Utilities app in Gemini → Connected Apps settings if assistant‑based notification reading is not strictly necessary.
- Revoke the “Notification read, reply & control” permission from the Google app in Android settings.
- Critically assess any Gemini voice messages containing requests on behalf of contacts, especially those involving data transfer or following links.
- Periodically review the facts stored in Gemini’s memory for entries the user did not create.
This research highlights a systemic issue: as AI assistants expand their context window through integration with notifications, calendars, and smart‑home systems, each new data source becomes a potential injection vector. For users who do not need voice‑controlled notification management via Gemini, disabling this feature is advisable — it is the only measure fully under the user’s control.
