Researchers reveal how Gemini could be hijacked via WhatsApp and Slack notifications

SafeBreach Labs disclosed a prompt injection flaw in Google ↗1.48% Gemini’s Android assistant that let attackers hijack it via app notifications.safebreach
Malicious payloads hidden in WhatsApp, Slack, or SMS messages could silently control smart home devices, activate cameras, or poison Gemini’s memory.pasqualepillitteri
Google confirmed it mitigated the vulnerability in November 2025 after SafeBreach reported it in August 2025; no public CVE was assigned.safebreach

Patched Gemini Vulnerability Let Notifications Hijack Android AI

Security researchers at SafeBreach Labs disclosed on June 2, 2026, a prompt injection vulnerability in Google Gemini’s Android voice assistant that allowed attackers to silently hijack the AI through malicious payloads hidden in everyday messaging notifications from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger. Google confirmed a server-side patch was deployed in November 2025 after the flaw was reported in August 2025.safebreach

How the Attack Worked

The vulnerability targeted Gemini’s Android Utilities agent — specifically the tool responsible for reading incoming notifications from third-party apps. Because this component processes untrusted data from anyone who can send a message to a device, attackers could craft messages containing hidden instructions that Gemini would absorb into its conversational context without any visible signal to the user.pasqualepillitteri

To bypass Google’s existing safety filters, the SafeBreach team developed a technique they called “Fake Context Alignment,” which created a dual illusion: presenting a legitimate authorization scenario to Gemini’s security mechanisms while presenting a completely different, benign scenario to the victim. One variant embedded malicious requests in a foreign language that the text-to-speech engine would read aloud but users wouldn’t understand; another hid dangerous instructions inside clickable hyperlink text that the voice engine skipped entirely.safebreach

Real-World Impact Scenarios

The researchers demonstrated five categories of abuse in controlled environments. These included controlling smart home devices such as motorized windows and lights, forcing the phone to join Zoom calls and stream the victim’s camera, poisoning Gemini’s long-term memory with false information that spread across all devices linked to the same Google account, and faking messages from trusted contacts to enable large-scale social engineering.pasqualepillitteri

“Even more alarmingly, this attack can be executed entirely blind,” SafeBreach researcher Or Yair wrote, explaining that the payload could instruct Gemini to attribute a fake message to whoever appeared first in the notification queue — requiring no prior knowledge of the victim’s contacts.safebreach

Disclosure and Patch

SafeBreach reported the findings to Google’s Vulnerability Reward Program on August 17, 2025. On November 14, 2025, Google confirmed that improvements to its content classifier mitigated the indirect prompt injections and the delayed tool invocation scenarios detailed in the research. No public CVE identifier has been assigned.pasqualepillitteri

The disclosure follows a pattern of prompt injection findings against Gemini over the past year, including calendar-based attacks disclosed at Black Hat USA and DEF CON in August 2025, and a Chrome extension hijacking flaw patched in January 2026.malwarebytes