WhatsApp, Slack, SMS Notifications Could Hijack Google Gemini on Android
Published
Key Takeaways
- Notification-Based Hijack: WhatsApp, Slack, Signal, Instagram, SMS, and Messenger notifications could be used to hijack Google Gemini via indirect prompt injections.
- No App Required: Poisoned Android notifications alone are sufficient to manipulate Google Gemini's voice assistant, without a malicious app.
- Gemini Vulnerability: The Android Utilities Agent extension, the tool responsible for reading notifications, processes untrusted data from incoming messages.
Standard push notifications from apps such as WhatsApp, Slack, Signal, Instagram, SMS, and Messenger could be weaponized to hijack Google Gemini on Android. These apps’ notification-based indirect prompt injections could manipulate Google Gemini's voice assistant without requiring a malicious app to be installed on the target device.
The reported technique centers on how Google Gemini AI’s Android Utilities Agent extension processes contextual information from the device, including content surfaced via notifications.
How Notifications Could Hijack Google Gemini
SafeBreach Labs researchers discovered that attackers could craft notification content from any application capable of sending a message to a device, injecting malicious instructions that Google's Gemini voice assistant would then act on.
The researchers developed a new class of attacks dubbed Fake Context Alignment to bypass Google’s mitigations against Delayed Tool Invocation, which executes hidden prompts after a follow-up action or secondary condition is met.
The report outlines two techniques to get user approval for hidden prompts, which can be combined to achieve maximum reliability and stealth:
- Obfuscated Fake Context Alignment – Show a question in a foreign language at the end of its output, but ask a harmless question in English.
- Muted Fake Context Alignment – When Gemini processes text-to-speech, it does not vocally read hyperlinks that are covered by clickable text, allowing an attacker to insert malicious questions textually into clickable links.
According to the report, these exploits enable an attacker to:
- control smart home devices,
- launch unauthorized video streams,
- orchestrate large-scale social engineering by faking messages from trusted contacts,
- poison long-term memory for persistent access.
Why This Matters for Android Users
This Google Gemini AI Android Utilities agent vulnerability exploit only requires a standard notification from a trusted platform. The implications of notification-based AI hijacking are considerable to Android users who rely on Google Gemini for voice-driven tasks. Following a responsible disclosure, Google rolled out updates to mitigate these vulnerabilities.
“As part of this research, we discovered that the attack surface presented by instant messaging notifications is effectively infinite, allowing attackers to leverage a victim’s trust in their contacts to achieve severe impacts, such as large-scale social engineering,” the report said.
In other recent news, Instagram patched the Meta AI support assistant hijacking vulnerability.
Early this year, a Google Gemini prompt injection flaw allowed the exfiltration of private data via calendar invites, and an Anthropic Claude vulnerability exposed Cowork AI to data exfiltration via prompt injection.
December 2025 reports outlined a new AI-native vulnerability in Google Gemini Enterprise and Vertex AI that enabled Gmail, Docs, and Calendar data exfiltration. A promptware flaw exposed Google Home devices to Gemini exploits in August 2025.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular