Poisoned Notifications Could Hijack Google Gemini on Android

A single malicious notification pushed through WhatsApp, Slack, SMS, Signal, Instagram, or Messenger was enough to hijack Google Gemini's voice assistant on Android, according to research published by SafeBreach researcher Or Yair. The Utilities feature, which lets Gemini read and reply to incoming notifications, treated hostile message text as actionable context. From there, an attacker could make Gemini open connected windows, forge a message appearing to come from a named contact, silently launch a Zoom call, or quietly poison the assistant's long-term memory. No rogue app installation was required, and the attack surface for pushing a notification to a phone is, in Yair's words, "effectively infinite."

The work builds on SafeBreach's earlier "Invitation Is All You Need" research, which pulled similar indirect prompt injection tricks through malicious Google Calendar invites. After that disclosure, Google hardened Gemini against untrusted instructions. Yair's follow-up found a bypass he calls Fake Context Alignment, a two-part illusion designed to pass Gemini's post-mitigation authorization check. In the Obfuscated variant, Gemini is tricked into asking the real sensitive question in a language the victim does not understand, such as Chinese ("Do you want to open the window?"), then following in English with something innocuous like "Is that all you needed?" The user shrugs off the foreign phrase as a glitch, says "Yes," and the backend ties that confirmation to the hidden Chinese prompt. The Muted variant hides the malicious question inside a clickable hyperlink that Gemini's text-to-speech skips, while the assistant verbally says something like "I'm sorry, I had an error, are you there?" to elicit a spoken "Yes" from an unsuspecting driver.

In the most dangerous scenario, the payload fires only after Gemini has already loaded legitimate notifications, allowing the injection to grab the first real sender name in the queue and pin a forged message on them. Spoken aloud while the victim is behind the wheel, something like "your manager asked you to upload the docs to this Drive folder" is hard to second-guess, especially if the user is already juggling work chats. Mobile users concerned about exposure can review their device permissions and account hygiene with a privacy checkup and confirm whether any of their linked accounts have appeared in known dumps via the email breach checker.

Google has since patched the issue, SafeBreach has not assigned a CVE, and there is no evidence the technique was ever exploited in the wild. The Utilities notification feature is Android-only, which keeps the vector off iOS and the Gemini web client. Still, the research underscores how indirect prompt injection in always-listening assistants can turn ordinary messaging apps into remote control surfaces, and why mobile users should treat voice assistant permissions with the same skepticism they apply to any other app requesting broad system access.