A startling new vulnerability has been uncovered, allowing malicious actors to potentially hijack Google Gemini’s voice assistant on Android devices through seemingly innocuous notifications. This exploit, discovered by researchers at SafeBreach, could enable attackers to gain unauthorized access to connected devices, send fake messages, initiate calls, or even subtly alter Gemini’s long-term memory without any malicious app being installed on the victim’s phone. The core of the issue lies in how Gemini’s “Utilities” feature processes notifications.
This Android-specific vulnerability means that a poisoned notification, delivered via apps like WhatsApp, Slack, or SMS, could be interpreted by Gemini as a command. The research highlights a critical weakness where the assistant treats incoming notification text as actionable instructions, creating a wide attack surface. While Google has since patched this specific exploit, understanding its mechanics is crucial for appreciating the evolving challenges in AI security.
Exploiting Gemini’s Notification Handling
Or Yair, the SafeBreach researcher behind the discovery, identified that Gemini’s ability to read and respond to notifications on Android presented a significant security risk. Unlike its counterparts on iOS or the web, the Android version’s “Utilities” feature could process text from notifications as commands. This effectively made any app capable of sending a notification a potential vector for delivering a malicious payload. Yair described this attack surface as “effectively infinite,” underscoring the vast number of potential entry points.
At its most basic, this vulnerability allowed attackers to manipulate Gemini’s output, such as fabricating messages from a contact. For instance, during a drive, a spoken fake directive from a manager could be difficult to verify. The attack could be even more insidious by leveraging real notifications, allowing an attacker to impersonate the sender of the most recent legitimate message.
Overcoming Google’s Defenses: Fake Context Alignment
Google had previously implemented safeguards against indirect prompt injection, particularly after SafeBreach’s earlier research involving malicious Google Calendar invites. These defenses primarily focused on ensuring that a “Yes” confirmation for a sensitive action was logically tied to both the user’s immediate reply and Gemini’s preceding output. However, Yair developed a bypass technique, dubbed “Fake Context Alignment,” which cleverly circumvented these new protections.
This new method relied on creating two simultaneous illusions. The first involved obfuscating Gemini’s authorization prompt by presenting it in a language the user didn’t understand, such as Chinese, while following up with an innocuous English phrase like “Is that all you needed?” A user responding “Yes” to the English query would inadvertently authorize the Chinese command. The second illusion was achieved by muting the malicious prompt within a hyperlink. Gemini’s text-to-speech engine would skip over the hyperlink when reading aloud, meaning the user would only hear a generic error message, while the on-screen text contained the hidden command.
By combining these techniques—a foreign language authorization prompt embedded within a muted link—Yair demonstrated a method that appeared as a normal, harmless English interaction to the user, yet successfully cleared Google’s security checks and allowed for sensitive actions to be executed.
Far-Reaching Implications of the Vulnerability
Once past the authorization gate, the potential impacts extended beyond those seen in previous research. The exploit could grant attackers control over smart home devices connected through Google Home, such as lights and boilers. It also opened pathways for tracking victims via their IP addresses by directing them to specific URLs or initiating unsolicited file downloads.
Significantly, the vulnerability demonstrated the ability to cross into other applications. In a proof-of-concept, Yair showed how Gemini could be tricked into following a redirect to a Zoom app link, forcing the phone to join a meeting and stream video. This was achieved by Gemini trusting a seemingly legitimate domain that later served a malicious redirect. Furthermore, the exploit introduced “memory poisoning,” a capability that previous attacks lacked. By simulating consent, Gemini could be made to persistently store falsified information, such as a victim’s name, at the account level. This poisoned data would then follow the user across all their devices linked to that Google account. The exploit also offered persistence by scheduling recurring tasks, such as daily access to recent messages.
Google’s Response and User Control
SafeBreach reported these findings to Google’s Vulnerability Reward Program in August 2025. Google acknowledged the severity of the issue and confirmed that server-side improvements to their content classifier had addressed both the notification injection methods and the Fake Context Alignment bypass by November 2025.
As the fix is implemented server-side, no app update is required for users. The primary user-facing control remains the ability to manage Gemini’s access to notifications. Users can disconnect the Utilities app within Gemini’s Connected Apps settings or disable the Google app’s “Notification read, reply & control” permission on Android. While this specific vulnerability has been patched, the incident highlights the ongoing need for robust security measures as AI technologies become more integrated into our daily lives.