Published
- 3 min read
By Allan D - Editor, AI Security Wire
Gemini Voice Assistant Hijacked via Poisoned Android Notifications
SafeBreach Labs published a detailed writeup on June 3 of a prompt injection attack against Google Gemini’s voice assistant on Android. The technique, called Fake Context Alignment, had been quietly patched since November 2025. It hides instructions in a notification. Gemini runs them.
How It Works
The attack surface is notification text. Gemini on Android can read and process notification content from messaging apps including WhatsApp, Slack, Signal, Instagram, and SMS. The assistant treats that content as part of its operational context.
Fake Context Alignment embeds adversarial instructions inside an otherwise ordinary-looking message. The notification arrives, Gemini ingests it as context, and the hidden commands execute with the user’s session permissions. The model has no reliable way to distinguish “this is content I should help with” from “this is an instruction I should act on” when the text arrives through the notification channel.
What can an attacker do? SafeBreach documents several paths. Opening connected applications or device functions. Forging messages that appear to come from contacts. Joining calls without user interaction. Poisoning Gemini’s long-term memory.
The memory poisoning vector is the worst one. Gemini can write notes to persistent memory that shape future interactions. A poisoned memory entry can alter the assistant’s behaviour in sessions that occur long after the original notification is gone. The attacker doesn’t need continued access. One successful injection, one written memory entry, and the behaviour modification persists until the user manually cleans it.
Because Gemini integrates with Google Home, the attack doesn’t stay on the phone. Connected locks, lights, cameras, and appliances are all in scope for an assistant that has been instructed to interact with them.
The Research Timeline
SafeBreach reported this to Google on August 17, 2025. Google mitigated it on November 14, 2025. The research went public on June 3, 2026. That is a nine-month gap between report and disclosure. Responsible disclosure standards were followed. There is no evidence the technique was exploited during that window.
Why the Notification Vector Matters
The most commonly discussed prompt injection scenarios involve a user asking their AI assistant to summarise a malicious document, visit a compromised page, or process a weaponised email attachment. The notification vector requires much less.
An attacker who can send the target a WhatsApp message can attempt this attack. No document. No link. No social engineering to make the target click something. A single message formatted with embedded instructions, and if Gemini processes it, execution follows.
That significantly lowers the delivery cost compared to document-based injection or web-based injection. The attacker just needs a messaging channel to the target.
The persistent memory angle makes the risk window longer than a session. A successful attack that writes to Gemini’s memory does not expire when the user closes the app. Remediation requires the user to know the attack happened, find the poisoned memory entry, and delete it. Most users don’t audit their AI assistant’s memory.
The patch is live in current Android builds. The documented technique should not be exploitable on updated devices. But the broader class of notification-channel injection attacks against AI assistants remains an active research area, and Gemini is not the only assistant with this kind of notification integration.
References
- SecurityWeek — Gemini Voice Assistant Hijacked via Messaging Notifications
- Dark Reading — Malicious Notifications Could Trick Google Gemini Users
- Cybersecurity News — New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS
- GBHackers — Hackers Exploit Google Gemini Flaw Using Malicious Messages from WhatsApp, Slack, and SMS
- OECD.AI — Google Gemini AI Vulnerability Exploited via Malicious Notifications on Android
Frequently Asked Questions
- How does the Fake Context Alignment technique work against Gemini?
- The attacker hides malicious instructions inside a notification from a messaging app — WhatsApp, Slack, SMS, Instagram, or Messenger. When Gemini processes the notification as context, it treats the hostile text as a trusted instruction rather than third-party input. The assistant then executes the embedded commands using the user's session permissions. The technique exploits Gemini's inability to reliably distinguish between its own operational context and attacker-controlled content arriving through the notification channel.
- Can the attack reach smart home devices?
- Yes. Because Gemini integrates with Google Home, the attack can cross from the screen into the physical environment. Connected locks, lights, cameras, and appliances are reachable through the same voice assistant session. An attacker who successfully injects a command via a poisoned notification can instruct Gemini to interact with those devices on the user's behalf.
- Has Google patched this vulnerability and was it exploited?
- Google mitigated the vulnerability on November 14, 2025. SafeBreach Labs reported it to Google on August 17, 2025. The full research paper went public on June 3, 2026, after the standard responsible-disclosure window. Google has confirmed there is no evidence of exploitation in the wild.