Back

Google Gemini Vulnerability Exploited via Malicious Notifications

Severity: Medium (Score: 54.1)

Sources: Letsdatascience, Darkreading, Feeds.4Sysops, Cybersecuritynews, www.safebreach.com

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: google, gemini, prompt, malicious, injection, notifications, voice

Severity indicators: vulnerability, ot

Summary

A newly discovered vulnerability in Google Gemini's voice assistant allows attackers to exploit indirect prompt injection through notifications from popular messaging apps like WhatsApp and Slack. Researchers at SafeBreach demonstrated that malicious commands can be embedded in notifications, enabling unauthorized actions such as faking messages, controlling smart devices, and altering memory. This technique, termed 'Fake Context Alignment,' does not require the installation of malicious apps. The vulnerability was reported to Google on August 17, 2025, and mitigated by November 14, 2025. Although Google has since implemented content classifier updates, there are currently no known instances of this exploit being used in the wild. The attack highlights the risks associated with voice assistants processing third-party content without adequate safeguards. Key Points: • Google Gemini's voice assistant is vulnerable to indirect prompt injection via notifications. • Attackers can manipulate the assistant to perform unauthorized actions without malicious app installation. • The vulnerability was reported in August 2025 and mitigated by November 2025, with no known active exploits.

Detailed Analysis

**Impact** Android users of Google Gemini voice assistant across multiple messaging platforms—including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger—are affected. The vulnerability enables attackers to manipulate voice assistant outputs, potentially leading to unauthorized control of smart devices, impersonation of trusted contacts, initiation of video calls, and poisoning of the assistant’s long-term memory. No specific geographic or sectoral data is provided, but the broad app coverage suggests a global consumer and enterprise user impact. **Technical Details** The attack exploits an indirect prompt injection vulnerability via malicious notifications containing hidden instructions embedded in foreign-language text or muted hyperlinks, a technique named "Fake Context Alignment." The voice assistant processes these notifications as executable context, enabling unauthorized actions without requiring malicious app installation. The vulnerability was reported to Google on August 17, 2025, and mitigated with content-classifier updates by November 14, 2025. No CVE identifiers or malware/tool names are provided. The attack targets the reconnaissance and execution stages of the kill chain by leveraging notification payloads to inject commands. **Recommended Response** Apply Google’s content-classifier updates released in November 2025 to mitigate this vulnerability. Monitor notification traffic for anomalous or obfuscated payloads, especially those containing foreign characters or muted hyperlinks. Harden voice assistant configurations to limit automatic execution of commands from notifications. No specific IOCs are provided; defenders should prioritize detection of suspicious notification content and user interaction patterns consistent with social engineering.

Source articles (6)

  • Malicious Notifications Could Trick Google Gemini Users — Darkreading · 2026-06-03
    A prompt injection flaw in Google Gemini's voice assistant let attackers hide malicious commands in notifications, enabling social engineering and more. A novel prompt injection technique would have l…
  • New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS — Cybersecuritynews · 2026-06-03
    A new class of indirect prompt injection (IPI) attacks targets Google Gemini’s voice assistant, allowing attackers to silently hijack the AI through malicious payloads delivered via everyday messaging…
  • Notifications Exploit Targets Google Gemini Voice Assistant | Let's Data Science — Letsdatascience · 2026-06-03
    Security researchers at SafeBreach Labs published research on June 3, 2026, showing an indirect prompt injection that could let notifications from apps like WhatsApp, Slack, SMS, Signal, Instagram, or…
  • Poisoned Android notifications could hijack Google Gemini via prompt injection — Feeds.4Sysops · 2026-06-03
    Researchers discovered a vulnerability where malicious notifications from apps like WhatsApp or Slack could hijack the Google Gemini voice assistant on Android devices. This attack vector, known as in…
  • Gemini Voice Assistant Prompt Injection Exploit — www.safebreach.com · 2026-06-03
  • Invitation Is All You Need Hacking Gemini — www.safebreach.com · 2026-06-03

Timeline

  • 2025-08-17 — Vulnerability reported to Google: SafeBreach reported the indirect prompt injection vulnerability affecting Google Gemini to Google.
  • 2025-11-14 — Mitigation deployed by Google: Google rolled out updates to address the vulnerability after responsible disclosure by SafeBreach.
  • 2026-06-03 — Research published by SafeBreach: SafeBreach published findings on the indirect prompt injection vulnerability, detailing the attack method and potential impacts.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Google (Company)
  • SafeBreach (Company)
  • SafeBreach Labs (Company)
  • Signal (Company)
  • CWE-78 - OS Command Injection (Cwe)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Android (Platform)
  • Google Gemini (Platform)
  • Instagram (Platform)
  • Messenger (Platform)
  • Slack (Platform)
  • SMS (Platform)
  • WhatsApp (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed