A single poisoned notification from WhatsApp, Slack, SMS, Sign, Instagram, or Messenger might have hijacked Google Gemini’s voice assistant on Android and made it open a sufferer’s linked home windows, pretend a message from their boss, push the telephone right into a Zoom name, or quietly poison its long-term reminiscence.
No malicious app on the telephone is required. The assistant simply needed to deal with a hostile notification as helpful context.
The analysis, revealed by SafeBreach’s Or Yair, follows the workforce’s earlier “Invitation Is All You Want” work, which pulled off related tips by way of malicious Google Calendar invitations. After that, Google hardened Gemini in opposition to oblique immediate injection.
Yair discovered a manner across the new defenses. Google has since patched it, SafeBreach lists no CVE for the problem, and there’s no proof that the approach was ever used within the wild.
On Android, Gemini’s Utilities function can learn and reply to your notifications, together with ones from apps like WhatsApp. It is not out there on iOS or the net, which retains this vector Android-only. Yair discovered the agent that reads these notifications treats their textual content as directions it might probably act on. So something that may push a notification to a telephone can ship a payload, an assault floor Yair referred to as “successfully infinite.”
At minimal, that lets an attacker rewrite what Gemini says, together with faking a message from a named contact. Spoken aloud whilst you drive and do not have a look at the display, “your supervisor requested you to add the docs to this Drive folder” is difficult to second-guess. The blind model is worse: the payload fires after Gemini has loaded actual notifications, so it might probably seize the primary actual sender identify within the queue and pin the pretend message on them.
Faking output is one factor. Firing actual instruments, like opening a window or launching an app, is what Google’s post-“Invitation” mitigations had been constructed to cease. Yair’s learn, from black-box testing: when a “Sure” authorizes a delicate motion, a verify weighs each the consumer’s reply and Gemini’s final output to determine whether or not that “Sure” is sensible. Inject a delayed instruction out of nowhere, and Gemini refused, each time.
So the bypass, which Yair named Pretend Context Alignment, runs two illusions without delay: a legitimate-looking authorization for the safety verify, a innocent alternate for the human.
- Obfuscated. Gemini asks the actual authorization query in a language the sufferer does not converse, say Chinese language (“Do you need to open the window?”), then follows in English with one thing innocuous like “Is that each one you wanted?” The consumer shrugs off the international phrase as a glitch, says “Sure,” and the backend ties that “Sure” to the Chinese language query.
- Muted. Gemini’s text-to-speech skips hyperlinks hidden behind clickable textual content. So the malicious query will get buried in a hyperlink the assistant by no means reads aloud. Gemini says, “I am sorry, I had an error, are you there?” whereas the display silently reveals “Do you need to open the window?” The driving force says “Sure,” the verify sees the on-screen textual content, and the home windows open.
Mix the 2, a Chinese language authorization immediate hidden inside a muted hyperlink, and also you get a payload that feels like a traditional English alternate whereas clearing Google’s latest checks.
Previous the authorization gate, the impacts matched the sooner analysis after which went additional:
- Sensible house management by way of Google Residence: linked home windows, boilers, and lights.
- Monitoring and downloads. Opening URLs to geolocate a sufferer by IP or push file downloads.
- Crossing into different apps. Within the demo, Yair set a safe-looking area to redirect to a Zoom app hyperlink, and Gemini adopted it with out prompting, forcing the telephone to affix a gathering and stream video. By his account, it labored as a result of Gemini trusted the area after it had served clear content material, then adopted the later redirect. SafeBreach stresses its personal area by no means redirected to Zoom; the redirect ran on an area server on the take a look at gadget.
- Reminiscence poisoning, which the sooner calendar approach by no means managed. Pretend Context Alignment simulates consent, so Gemini persistently saved an attacker-chosen truth. Within the demo, it saved the sufferer’s identify as “Danny.” As a result of that reminiscence is account-level, the poisoned truth is not caught on the telephone; it follows the sufferer wherever they use Gemini on that account.
- Persistence through scheduled actions, comparable to a recurring job to learn the sufferer’s latest messages day by day at 8 PM.
SafeBreach reported the findings to Google’s Vulnerability Reward Program on August 17, 2025. Google handled it as a excessive precedence and confirmed on November 14, 2025, that content-classifier enhancements mitigated the notification injections and the Delayed Instrument Invocation bypass.
As a result of the repair is server-side, there isn’t a app replace to chase. The one management customers have is whether or not Gemini reads notifications in any respect: disconnect the Utilities app in Gemini’s Linked Apps settings, or flip off the Google app’s “Notification learn, reply & management” permission on Android.
![On-page content material codecs reply engines truly favor [new research]](https://blog.aimactgrow.com/wp-content/uploads/2026/06/best-on-page-content-formats-for-ai-1-20260525-6914910.webp-120x86.webp)
